![Prelude_Wordmark_Black_Transparent.png]](https://support.preludesecurity.com/hs-fs/hubfs/Prelude_Wordmark_Black_Transparent.png?height=50&name=Prelude_Wordmark_Black_Transparent.png)
Connecting Amazon S3 (Detect)
To export Prelude Detect test data to Amazon S3, you need to create an s3 bucket, and a role that can write to that s3 bucket. For simplicity, this guide puts all the configuration in the role, but you could create the role, and use a bucket policy if you prefer. Follow these steps:
- Visit Detect Integrations: Click on S3 integration to get the IAM "trust" and "permission" policies needed to configure your AWS Account.
- Click on "View Role Trust Policy" and save to a text editor
- Click on "View Role Permission Policy" and save to a text editor
- Create an IAM Role: Follow the AWS docs on creating a role with an external trust
- Create the trust policy with the External ID and AWS Account, or copy and paste the trust policy from the Prelude UI.
- Note: The AWS account ID is environment specific (us1 or eu1), and the External ID is unique for every Prelude Account Instance
- Add the Role Permission Policy you saved earlier
- Create the trust policy with the External ID and AWS Account, or copy and paste the trust policy from the Prelude UI.
- Create a S3 bucket - choose a name for the bucket.
- AWS recommends you set Block all public access to On
- Set Bucket Policy Permission - Provided you gave the IAM role access to the bucket, you should not need a bucket policy. However, if you would like to use a bucket policy, it should be the same as the "Role Permission Policy" with a "Principle" key at the same level as "Resource"
"Principal": {
"AWS": [ "[YOUR-ROLE-ARN]" ],
}, - Integrate
- Using the Prelude UI - Click on S3 integration
- Create a name for your integration
- Paste in the s3 bucket you want to write to with the prefix s3://
- Paste in the role ARN used to access the bucket
- Using Prelude CLI - Alternative to using the Web UI you can create the integration via Prelude CLI with the following command (substitute proper bucket name)
prelude partner attach S3 --api s3://s3_bucket_name --username arn:aws:iam::123456789012:role/ExampleRole
- Using the Prelude UI - Click on S3 integration
- Successful integrations - will save a key with the current date at the location
prelude/[PreludeAccountID/detect/[us1|eu1]/authentication/[integration_date].json
- Run Tests - After running your tests, the data should be available shortly after the test results are generated.