# AWS S3

### Overview

Keeper supports event streaming into an Amazon S3. Setup instructions are below.

### S3 Configuration

**(1)** In AWS, create an S3 bucket and of course ensure that all permissions are locked down.

![](/files/-MkEq6BUIXR2AOYFNpJZ)

**(2)** Create a user account without console access and assign a basic role policy which can only put files within the bucket.  Example below.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::name_of_bucket/*"
            ]
        }
    ]
}
```

**(3)** Generate Access Key and Secret Key, provide those to the Admin Console user interface along with the Bucket Name.  You can select different time intervals for the file uploads. You can also select the file format which includes:

* JSON
* Syslog
* CSV

<figure><img src="/files/rGzIEpcUsgWIkE9LmvhL" alt=""><figcaption><p>Amazon S3 Integration Settings</p></figcaption></figure>

{% hint style="info" %}
For the Bucket Name, **provide a full ARN** that includes the region. For example:\
\
`arn:aws:s3:us-west-2::my-keeper-events`
{% endhint %}

Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.

![](/files/-MkElag9T6UQmrlmonyg)

{% hint style="info" %}
If you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.
{% endhint %}

### Log File Examples

#### Syslog File

{% code overflow="wrap" %}

```
<165>1 2023-10-30T02:18:43.776Z keepersecurity.jp keeper - - - {"audit_event":"device_user_approval_requested","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50,"client_version_new":true}^M

<165>1 2023-10-30T02:19:19.587Z keepersecurity.jp keeper - - - {"audit_event":"device_approved","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^M

<165>1 2023-10-30T02:19:51.774Z keepersecurity.jp keeper - - - {"audit_event":"login","channel":"PASS","remote_address":"12.34.56.78","category":"login","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^M
```

{% endcode %}

#### JSON File

{% code overflow="wrap" %}

```
[{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:17.545Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:27.200Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:22.740Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"open_record","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"fast_fill","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241}]
```

{% endcode %}

#### CSV File

{% code overflow="wrap" %}

```csv
audit_event,name,remote_address,category,client_version,timestamp,username,enterprise_id
audit_sync_setup,s3,12.34.56.78,policy,EMConsole.16.15.3,1698759022585,craig@keeperdemo.io,50
role_created,,12.34.56.78,policy,EMConsole.16.15.3,1698759049640,craig@keeperdemo.io,50
role_enforcement_changed,,12.34.56.78,policy,EMConsole.16.15.3,1698759049876,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136968,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136979,craig@keeperdemo.io,50
lock_user,,12.34.56.78,security,EMConsole.16.15.3,1698759169004,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759134936,craig@keeperdemo.io,50
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/enterprise-guide/event-reporting/aws-s3-bucket.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.