You must use SFTP (SSH File Transfer Protocol) and a valid public key in order to retrieve data from your Amazon S3 bucket. Currently Amazon Web Services supports the following SFTP clients:
- OpenSSH (Macintosh and Linux)
- WinSCP (Microsoft Windows-only)
- Cyberduck (Windows, Macintosh, and Linux)
- FileZilla (Windows, Macintosh, and Linux)
Note that SFTP is the only way to access the S3 bucket.
Note. We should also mention that Amazon’s SFTP Transfer service is not yet available in either the Sao Paulo or the China AWS regions (although the service is expected soon). This doesn’t mean organizations in these regions aren’t eligible for SIEM Event Delivery; it just means that some extra configuration steps might be required to get the service up and running. See your Identity Cloud representative for more information.
Note, too that – because the SFTP server is running on Amazon Web Services – you cannot whitelist the IP address of individual SFTP servers. If you need to whitelist SFTP server addresses you’ll have to whitelist the entire IP range allocated to the SFTP service.
When SIEM Event Delivery is activated, you’ll get back an API response similar to the following:
The uri and the user fields are especially important: that’s the information needed to access your S3 bucket. As noted elsewhere, each organization is given a single user account (the user field), with the username composed of user_ followed by your application ID (for example, user_htb8fuhxnf8e38jrzub3c7pfrr). All users who access the S3 bucket must log on using this same username (as well as an SSH key associated with the S3 bucket).
Meanwhile, the uri field specifies the URL for your S3 bucket. In the preceding example, that URL is sftp://firstname.lastname@example.org.
The exact steps required to access your S3 bucket depend on which SFTP client you use. For example, if you use Cyberduck you’ll need to follow a procedure similar to this:
- Start Cyberduck and then click Open Connection:
- In the dropdown dialog, set the protocol to SFTP (SSH File Transfer Protocol):
- Type the URL to your Amazon S3 bucket (for example, sftp://email@example.com) in the Server field and the port number for the S3 bucket in the Port field:
- Enter your S3 bucket username (e.g., user_htb8fuhxnf8e38jrzub3c7pfrr) in the Username field. Leave thePassword field blank:
- Click SSH Private Key and then select the private key you are using for S3 access. Keep in mind that the corresponding public key must have already been associated with the S3 bucket:
- When you are finished, click Connect:
After the connection is made, your SIEM event files will appear in the Cyberduck window.
To download a file, right click the file name and then click either:
- Download (to download the file directly to your Downloads folder).
- Download As (which enables you to specify a different file name and/or download location).
- Download To (which lets you change the download location but not the file name).
To remove a file from the S3 bucket, right-click the file name and then click Delete.