Step 1: AWS Infrastructure Setup
Before Scanner can analyze logs, you must establish a secure connection to your AWS account. This creates the IAM roles, S3 buckets, and SNS/SQS resources Scanner requires.
Part A: Link Your Account in Scanner
First, register your AWS account with Scanner to get the credentials you'll need:
In Scanner, navigate to Settings > AWS Accounts
Click Link New Account
Enter your AWS Account ID and Account Name
Account Name can be anything that helps you identify it (e.g., "Production AWS" or "Security Logs Account")
Scanner will display:
Scanner's AWS Account ID
STS External ID
Keep these values handy—you'll need them to create resources in AWS
Part B: Create Required AWS Resources
Now choose your setup method to create the infrastructure Scanner needs in your AWS account.
What Gets Created
IAM Role
Must be an IAM Role, not an IAM User (Scanner cannot assume IAM Users)
Provides least-privilege access:
Read access to the S3 buckets containing your log files (for indexing and detection)
Read/write access to the S3 buckets where Scanner writes raw logs collected from SaaS/cloud sources
Read/write access to the Scanner index bucket
S3 Bucket for Index Files
Dedicated bucket for Scanner's proprietary index files
Should be in the same AWS region as Scanner's compute instance to minimize data transfer costs
Configured with encryption and lifecycle rules
SNS Topic & SQS Queue
A new or existing SNS topic to send
s3:ObjectCreated
notifications from your S3 log files buckets to the Scanner instance.SQS queue (created by Scanner) receives messages from the SNS topic and triggers indexing
If your S3 log files are in multiple regions, you will need one SNS topic in each region.
How to Create Resources
Option A: Infrastructure as Code (Recommended)
Use our pre-built templates with the Scanner AWS Account ID and STS External ID from Part A:
Deploy the template in your AWS account. Once complete, your account is linked and ready.
Option B: Guided Manual Setup
Once complete, your account is linked and ready
Important - Note the resource names created—you'll need these in Part C:
IAM Role ARN (format:
arn:aws:iam::123456789012:role/ScannerRole
)Scanner Index Files Bucket Name (e.g.,
scanner-index-files-prod
)
Part C: Finalizing AWS Account Linking in the Scanner UI
Return to Scanner to finalize the connection by providing the resource identifiers you just created.
In Scanner, go back to Settings > AWS Accounts > [Your Account]
Enter the following information:
Scanner Role ARN
The ARN of the IAM Role you created
Format:
arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME
This is an output from your CloudFormation/Terraform deployment, or visible in AWS IAM console
Scanner Index Files Bucket Name
The name of the dedicated S3 bucket for Scanner's index files
This is the bucket created specifically for Scanner (not your existing log buckets)
Example:
scanner-index-files-prod
Log Files Bucket Names
List the existing S3 bucket(s) containing your raw logs that you want Scanner to index
Examples:
prod-cloudtrail-logs
,app-logs-prod
You can add multiple buckets
The Scanner IAM Role must have read permissions to these buckets
Click Save or Complete Setup
Your AWS account is now linked! Scanner can access your log buckets and will store index files in the dedicated bucket you created.
Common Setup Issues
❌ IAM User Instead of Role Scanner cannot assume IAM Users. Ensure you create an IAM Role.
❌ Missing KMS Permissions If your S3 buckets use custom KMS encryption, add kms:Decrypt permissions for those specific keys to the Scanner IAM role policy.
❌ Incomplete Bucket Policy
Grant permissions to both the bucket ARN (arn:aws:s3:::bucket-name
) and objects (arn:aws:s3:::bucket-name/*
).
❌ Malformed ARNs Double-check all resource identifiers in CloudShell commands.
❌ Wrong Role ARN
Double-check the ARN format. It should be arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME
, not a user ARN.
❌ Index Files Bucket vs. Log Bucket Confusion
Scanner Index Files Bucket = NEW bucket created just for Scanner's index files
Log Files Buckets = Your EXISTING buckets with raw logs
❌ SNS Topic Not in Same Region as Logs The SNS topic must be in the same region as your S3 log buckets. Multi-region setups require one SNS topic per region.
Last updated
Was this helpful?