> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Amazon S3 Activity Log Integration

> Configure the Amazon S3 integration in Iru Endpoint to export unified tenant activity logs, including Endpoint, Detections, and Compliance events.

### About the Amazon S3 Activity Log Integration

Amazon S3 Activity Log Integration in Iru Endpoint enables organizations to export unified tenant activity logs to a self-hosted S3 bucket for centralized collection and analysis with SIEM services.

### How It Works

This integration pushes event data to your specified S3 bucket using cross-account access via an Iru Endpoint-provided IAM role.

Once configured, it delivers the same tenant activity events you review on [Unified Activity](/en/iru/platform-overview/unified-activity). That includes activity across **Tenant** (System), **Endpoint**, **Detections**, **Vulnerabilities**, and **Compliance**. Use Unified Activity to browse and filter what was recorded; use your S3 bucket for long-term storage, SIEM ingestion, or offline analysis.

For event field definitions and API details, refer to the activity log [API documentation](https://api-docs.kandji.io/#06022d9d-426b-4aea-826a-d7f084e4f1e3).

<Note>
  The first log collection after the Integration is connected only includes the previous hour of activity. Subsequent activity log collection will occur hourly.
</Note>

### Prerequisites

Before configuring this integration, ensure the following:

* You have an active AWS account.
* You have permissions to create a new S3 bucket.
* You have permissions to create an IAM Role with AssumeRole and S3 write permissions.

### Setting Up AWS Access

#### Iru Endpoint Integration Setup

<Steps>
  <Step title="Open Integrations">
    Click your name at the bottom of the left navigation, then select **Integrations**.

    <Frame>
      <img src="https://mintcdn.com/iru/8BYPjuKZa-zyEEf_/assets/media/images/iru-nav-integrations.png?fit=max&auto=format&n=8BYPjuKZa-zyEEf_&q=85&s=e89fa7e9b81ac504a6f519608e10b8a3" alt="Screenshot of the account menu with Integrations option highlighted" width="562" height="1040" data-path="assets/media/images/iru-nav-integrations.png" />
    </Frame>
  </Step>

  <Step title="Discover Integrations">
    Click **Discover integrations** in the upper-right of the Integrations page.
  </Step>

  <Step title="Add S3 Integration">
    Under Security integrations, click **Add and configure** under Amazon S3 Activity Log Integration.
  </Step>

  <Step title="Copy IAM Role">
    Copy the value for **IRU\_ENDPOINT\_IAM\_ROLE** and store the value in a secure location.
  </Step>

  <Step title="Copy AWS Account ID">
    Copy the value for **IRU\_ENDPOINT\_AWS\_ACCOUNT\_ID** and store the value in a secure location.
  </Step>

  <Step title="Store Values Securely">
    These values will be used as part of your IAM role permissions in the next section.
  </Step>
</Steps>

#### Creating S3 Bucket

<Note>
  You must create a new S3 Bucket to use the Amazon S3 Activity Log Integration.
</Note>

<Steps>
  <Step title="Access AWS Console">
    Log in to AWS.
  </Step>

  <Step title="Navigate to S3">
    Navigate to Amazon S3 > Buckets.
  </Step>

  <Step title="Create Bucket">
    Click **Create bucket**.
  </Step>

  <Step title="Select Bucket Type">
    Choose the **General purpose** bucket type.
  </Step>

  <Step title="Enter Bucket Name">
    Enter a memorable **Bucket name**.

    * This name will be referenced in policies.
  </Step>

  <Step title="Configure Public Access">
    Under **Block Public Access settings for this bucket**, ensure that the **Block all public access** option is selected.
  </Step>

  <Step title="Set Versioning">
    Under **Bucket Versioning**, keep the **Disable** option selected.
  </Step>

  <Step title="Configure Encryption">
    Under **Encryption type**, select **Server side encryption with Amazon S3 managed Keys (SSE-S3)**.
  </Step>

  <Step title="Enable Bucket Key">
    Under **Bucket Key**, select **Enabled**.
  </Step>

  <Step title="Review Configuration">
    Iru Endpoint currently only supports the default encryption options defined above.
  </Step>

  <Step title="Create Bucket">
    Click **Create bucket**.
  </Step>

  <Step title="Select Created Bucket">
    Select the bucket you just created.
  </Step>

  <Step title="Access Permissions">
    Click the **Permissions** tab.
  </Step>

  <Step title="Edit Bucket Policy">
    Under **Bucket policy**, click **Edit**.
  </Step>

  <Step title="Add Bucket Policy">
    Add the following bucket policy to the role permissions. Click **Save changes**.

    <Steps>
      <Step title="Replace bucket name references">
        Replace all reference to **BUCKET\_NAME** with the name of the bucket you just created.
      </Step>
    </Steps>

    ```
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSSLRequestsOnly",
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                  "arn:aws:s3:::BUCKET_NAME/*",
                  "arn:aws:s3:::BUCKET_NAME"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "false"
                    }
                }
            }
        ]
    }
    ```
  </Step>
</Steps>

<Steps>
  <Step title="Navigate to IAM">
    In AWS, navigate to **IAM > Roles**.
  </Step>

  <Step title="Create New Role">
    Click **Create role**.
  </Step>

  <Step title="Select Trust Policy">
    Select **Custom trust policy**.
  </Step>

  <Step title="Add Custom Trust Policy">
    Add the **Custom trust policy** below to allow Iru Endpoint to assume this role when writing to your S3 bucket.

    * Replace the **IRU\_ENDPOINT\_AWS\_ACCOUNT\_ID** and **IRU\_ENDPOINT\_IAM\_ROLE** text with the values you made a note of at the beginning of the article.

      ```
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::IRU_ENDPOINT_AWS_ACCOUNT_ID:role/IRU_ENDPOINT_IAM_ROLE"
                  },
                  "Action": "sts:AssumeRole"
              }
          ]
      }
      ```
  </Step>

  <Step title="Continue Role Creation">
    Click **Next**.
  </Step>

  <Step title="Skip Permissions">
    On the **Add permissions screen**, select Next without selecting any of the listed **Permissions policies**.
  </Step>

  <Step title="Add Role Details">
    Add a **Role name** and **Description**.
  </Step>

  <Step title="Complete Role Creation">
    Click **Create role**.
  </Step>

  <Step title="Select Created Role">
    Select the **IAM Role** you just created.
  </Step>

  <Step title="Access Permissions Tab">
    Click on the **Permissions** tab.
  </Step>

  <Step title="Add Permissions">
    Click **Add permissions**.
  </Step>

  <Step title="Create Inline Policy">
    Click **Create inline policy**.
  </Step>

  <Step title="Switch to JSON">
    Click the **JSON** tab.
  </Step>

  <Step title="Enter Inline Policy">
    Enter the following for the inline policy:

    <Steps>
      <Step title="Replace bucket name">
        Replace BUCKET\_NAME - replace this with the name of the bucket you created that Iru Endpoint will place the activity log files in.
      </Step>
    </Steps>

    ```
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "s3:ListBucket",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::BUCKET_NAME"
            },
            {
                "Action": "s3:*",
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::BUCKET_NAME/*"
            }
        ]
    }
    ```
  </Step>

  <Step title="Continue Policy Creation">
    Click **Next**.
  </Step>

  <Step title="Name Policy">
    Enter a **Policy name**.
  </Step>

  <Step title="Create Policy">
    Click **Create policy**.
  </Step>
</Steps>

### Setting Up the Integration in Iru Endpoint

Once the above is configured in your AWS account, you can proceed to setting up the integration in your Iru Endpoint account.

<Steps>
  <Step title="Open Integrations">
    Click your name at the bottom of the left navigation, then select **Integrations**.

    <Frame>
      <img src="https://mintcdn.com/iru/8BYPjuKZa-zyEEf_/assets/media/images/iru-nav-integrations.png?fit=max&auto=format&n=8BYPjuKZa-zyEEf_&q=85&s=e89fa7e9b81ac504a6f519608e10b8a3" alt="Screenshot of the account menu with Integrations option highlighted" width="562" height="1040" data-path="assets/media/images/iru-nav-integrations.png" />
    </Frame>
  </Step>

  <Step title="Discover Integrations">
    Click **Discover integrations** in the upper-right of the Integrations page.
  </Step>

  <Step title="Add S3 Integration">
    Under Security integrations, click **Add and configure** under Amazon S3 Activity Log Integration.
  </Step>

  <Step title="Continue Setup">
    Click **Next**.
  </Step>

  <Step title="Enter AWS Account ID">
    Enter the **AWS Account ID**.
  </Step>

  <Step title="Enter S3 Bucket Name">
    Enter the **S3 Bucket Name** for the bucket that was created earlier in this guide.
  </Step>

  <Step title="Set Destination Path">
    Optionally, enter a **Destination Path**.
  </Step>

  <Step title="Enter IAM Role ARN">
    Enter the **IAM Role ARN** for the IAM Role that was created earlier in this guide.
  </Step>

  <Step title="Enter AWS Region">
    Enter the **AWS Region**.
  </Step>

  <Step title="Connect to S3">
    Click **Connect to S3**.
  </Step>

  <Step title="Verify Connection">
    Iru Endpoint will attempt to upload and delete a test file in the provided S3 bucket. If Iru Endpoint is unable to successfully integrate to your S3 bucket, you will not be able to save and will need to follow the error messages surfaced in the UI to fix the connection.
  </Step>

  <Step title="Verify Event Data">
    Check your S3 bucket to confirm that Iru Endpoint is pushing activity log data. This will take a maximum of two hours, provided that tenant activity events have been generated on your account.
  </Step>
</Steps>

## Considerations

**Activity Log Frequency**: Activity log events are updated hourly, with the first collection including only the previous hour of activity. Exported events match [Unified Activity](/en/iru/platform-overview/unified-activity) scope (all supported Tenant, Endpoint, Detections, Vulnerabilities, and Compliance activity types).

**IAM Role Permissions**: The IAM role must have the necessary permissions to allow Iru Endpoint to assume that role and write to the S3 bucket.

**S3 Bucket Policy**: You may need to adjust the S3 Bucket policy to allow Iru Endpoint to write objects to the bucket.

**Security Requirements**: Ensure the S3 bucket has proper encryption enabled and public access is blocked for security compliance.

**Data Retention**: Consider implementing S3 lifecycle policies to manage log data retention and storage costs.

**Monitoring**: Set up CloudWatch alarms to monitor S3 bucket access and activity log delivery.

### Related Articles

<CardGroup cols={2}>
  <Card title="Unified Activity" icon="timeline" href="/en/iru/platform-overview/unified-activity">
    Browse, search, and filter the same tenant activity events in the Iru web app before or after they export to S3.
  </Card>

  <Card title="Activity Page" icon="timeline" href="/en/endpoint/devices/activity-page">
    Current Endpoint activity timeline, available alongside Unified Activity while it is in Preview.
  </Card>
</CardGroup>
