Finding an S3 bucket name and directory prefix

Before you can add a log source in IBM® QRadar®, an Amazon administrator must create a user and then apply the AmazonS3ReadOnlyAccess policy in the AWS Management Console.

Before you begin

Alternatively, you can assign more granular permissions to the bucket. The minimum required permissions are s3:listBucket and s3:getObject.

For more information about permissions that are related to bucket operations, see the AWS documentation (https:/docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets).

About this task

Procedure

  1. Log in to the AWS Management Console as Administrator.
  2. Click Services.
  3. From the list, select Route 53.
  4. From the Route 53 navigation menu, select Query Logging.
  5. Note the S3 bucket name in the Destination ARN field. You need this value when you configure a log source in QRadar. If the location path for the S3 Bucket name is available, note it as well.

What to do next

Create an Amazon AWS Identity and Access Management (IAM) user in the AWS Management Console and then apply the AmazonS3ReadOnlyAccess policy.