Step 1: AWS Infrastructure Setup

Before Scanner can analyze logs, you must establish a secure connection to your AWS account. This creates the IAM roles, S3 buckets, and SNS/SQS resources Scanner requires.

Part A: Link Your Account in Scanner

First, register your AWS account with Scanner to get the credentials you'll need:

  1. In Scanner, navigate to Settings > AWS Accounts

  2. Click Link New Account

  3. Enter your AWS Account ID and Account Name

    • Account Name can be anything that helps you identify it (e.g., "Production AWS" or "Security Logs Account")

  4. Scanner will display:

    • Scanner's AWS Account ID

    • STS External ID

  5. Keep these values handy—you'll need them to create resources in AWS

Part B: Create Required AWS Resources

Now choose your setup method to create the infrastructure Scanner needs in your AWS account.

What Gets Created

IAM Role

  • Must be an IAM Role, not an IAM User (Scanner cannot assume IAM Users)

  • Provides least-privilege access:

    1. Read access to the S3 buckets containing your log files (for indexing and detection)

    2. Read/write access to the S3 buckets where Scanner writes raw logs collected from SaaS/cloud sources

    3. Read/write access to the Scanner index bucket

S3 Bucket for Index Files

  • Dedicated bucket for Scanner's proprietary index files

  • Should be in the same AWS region as Scanner's compute instance to minimize data transfer costs

  • Configured with encryption and lifecycle rules

SNS Topic & SQS Queue

  • A new or existing SNS topic to send s3:ObjectCreated notifications from your S3 log files buckets to the Scanner instance.

  • SQS queue (created by Scanner) receives messages from the SNS topic and triggers indexing

  • If your S3 log files are in multiple regions, you will need one SNS topic in each region.

How to Create Resources

Option A: Infrastructure as Code (Recommended)

Use our pre-built templates with the Scanner AWS Account ID and STS External ID from Part A:

Deploy the template in your AWS account. Once complete, your account is linked and ready.

Option B: Guided Manual Setup

Once complete, your account is linked and ready

Important - Note the resource names created—you'll need these in Part C:

  • IAM Role ARN (format: arn:aws:iam::123456789012:role/ScannerRole)

  • Scanner Index Files Bucket Name (e.g., scanner-index-files-prod)

Part C: Finalizing AWS Account Linking in the Scanner UI

Return to Scanner to finalize the connection by providing the resource identifiers you just created.

  1. In Scanner, go back to Settings > AWS Accounts > [Your Account]

  2. Enter the following information:

Scanner Role ARN

  • The ARN of the IAM Role you created

  • Format: arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME

  • This is an output from your CloudFormation/Terraform deployment, or visible in AWS IAM console

Scanner Index Files Bucket Name

  • The name of the dedicated S3 bucket for Scanner's index files

  • This is the bucket created specifically for Scanner (not your existing log buckets)

  • Example: scanner-index-files-prod

Log Files Bucket Names

  • List the existing S3 bucket(s) containing your raw logs that you want Scanner to index

  • Examples: prod-cloudtrail-logs, app-logs-prod

  • You can add multiple buckets

  • The Scanner IAM Role must have read permissions to these buckets

  1. Click Save or Complete Setup

Your AWS account is now linked! Scanner can access your log buckets and will store index files in the dedicated bucket you created.

Troubleshooting

For help resolving AWS configuration and permission errors, see Troubleshooting AWS Errors.

PreviousQuick Setup OverviewNextAWS CloudFormation

Last updated

Was this helpful?