Finding an S3 bucket name and directory prefix
An Amazon administrator must create a user and then apply the AmazonS3ReadOnlyAccess policy in the AWS Management Console. The QRadar® user can then create a log source in QRadar.
Note: Alternatively, you can assign more granular permissions to the bucket. The minimum required permissions are s3:listBucket and s3:getObject.
For more information about permissions that are related to bucket operations, go to the AWS documentation website (https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets).
- Click Services.
- From the list, select CloudTrail.
- From the Trails page, click the name of the trail.
- Note the name of the S3 bucket that is displayed in the S3 bucket field.
- Click the Edit icon.
- Note the location path for the S3 bucket that is displayed underneath the Log file prefix field.
Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy