Step 1: AWS Infrastructure Setup

Before Scanner can analyze logs, you must establish a secure connection to your AWS account. This creates the IAM roles, S3 buckets, and SNS/SQS resources Scanner requires.

First, register your AWS account with Scanner to get the credentials you'll need:

  1. In Scanner, navigate to Settings > AWS Accounts

  2. Click Link New Account

  3. Enter your AWS Account ID and Account Name

    • Account Name can be anything that helps you identify it (e.g., "Production AWS" or "Security Logs Account")

  4. Scanner will display:

    • Scanner's AWS Account ID

    • STS External ID

  5. Keep these values handy—you'll need them to create resources in AWS

Part B: Create Required AWS Resources

Now choose your setup method to create the infrastructure Scanner needs in your AWS account.

What Gets Created

IAM Role

  • Must be an IAM Role, not an IAM User (Scanner cannot assume IAM Users)

  • Provides least-privilege access:

    1. Read access to the S3 buckets containing your log files (for indexing and detection)

    2. Read/write access to the S3 buckets where Scanner writes raw logs collected from SaaS/cloud sources

    3. Read/write access to the Scanner index bucket

S3 Bucket for Index Files

  • Dedicated bucket for Scanner's proprietary index files

  • Should be in the same AWS region as Scanner's compute instance to minimize data transfer costs

  • Configured with encryption and lifecycle rules

SNS Topic & SQS Queue

  • A new or existing SNS topic to send s3:ObjectCreated notifications from your S3 log files buckets to the Scanner instance.

  • SQS queue (created by Scanner) receives messages from the SNS topic and triggers indexing

  • If your S3 log files are in multiple regions, you will need one SNS topic in each region.

How to Create Resources

Option A: Infrastructure as Code (Recommended)

Use our pre-built templates with the Scanner AWS Account ID and STS External ID from Part A:

Deploy the template in your AWS account. Once complete, your account is linked and ready.

Option B: Guided Manual Setup

Once complete, your account is linked and ready

Important - Note the resource names created—you'll need these in Part C:

  • IAM Role ARN (format: arn:aws:iam::123456789012:role/ScannerRole)

  • Scanner Index Files Bucket Name (e.g., scanner-index-files-prod)

Part C: Finalizing AWS Account Linking in the Scanner UI

Return to Scanner to finalize the connection by providing the resource identifiers you just created.

  1. In Scanner, go back to Settings > AWS Accounts > [Your Account]

  2. Enter the following information:

Scanner Role ARN

  • The ARN of the IAM Role you created

  • Format: arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME

  • This is an output from your CloudFormation/Terraform deployment, or visible in AWS IAM console

Scanner Index Files Bucket Name

  • The name of the dedicated S3 bucket for Scanner's index files

  • This is the bucket created specifically for Scanner (not your existing log buckets)

  • Example: scanner-index-files-prod

Log Files Bucket Names

  • List the existing S3 bucket(s) containing your raw logs that you want Scanner to index

  • Examples: prod-cloudtrail-logs, app-logs-prod

  • You can add multiple buckets

  • The Scanner IAM Role must have read permissions to these buckets

  1. Click Save or Complete Setup

Your AWS account is now linked! Scanner can access your log buckets and will store index files in the dedicated bucket you created.

Common Setup Issues

IAM User Instead of Role Scanner cannot assume IAM Users. Ensure you create an IAM Role.

Missing KMS Permissions If your S3 buckets use custom KMS encryption, add kms:Decrypt permissions for those specific keys to the Scanner IAM role policy.

Incomplete Bucket Policy Grant permissions to both the bucket ARN (arn:aws:s3:::bucket-name) and objects (arn:aws:s3:::bucket-name/*).

Malformed ARNs Double-check all resource identifiers in CloudShell commands.

Wrong Role ARN Double-check the ARN format. It should be arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME, not a user ARN.

Index Files Bucket vs. Log Bucket Confusion

  • Scanner Index Files Bucket = NEW bucket created just for Scanner's index files

  • Log Files Buckets = Your EXISTING buckets with raw logs

SNS Topic Not in Same Region as Logs The SNS topic must be in the same region as your S3 log buckets. Multi-region setups require one SNS topic per region.

Last updated

Was this helpful?