scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • AWS resources required
  • Setting up the resources
  • Getting started

Was this helpful?

  1. Indexing Your Logs in S3

Linking AWS Accounts

How to link your AWS accounts with Scanner

PreviousZeekNextManual setup

Last updated 6 months ago

Was this helpful?

Linking your AWS account involves setting up certain resources such that Scanner can read your log files, index them, store the index files, and read the index files when you make a query.

AWS resources required

  • A new S3 bucket to store Scanner index files.

  • A new IAM role with these permissions:

    • Read access to S3 buckets containing your logs.

    • Read/write access to the new Scanner index files bucket.

  • A new or existing SNS topic to send s3:ObjectCreated notifications from your S3 log files buckets to the Scanner instance. If your S3 log files are in multiple regions, you will need one SNS topic in each region.

Setting up the resources

You can use , , , or to set up the resources in you AWS account. Commands / templates are provided in the following pages.

We recommend CloudShell for easiest onboarding to get started quickly. Teams usually transition to infra-as-code tools like CloudFormation, Terraform, or Pulumi as their infrastructure decisions stabilize.

Getting started

To link a new AWS account to Scanner, perform the following steps.

  1. Open up Scanner.

  2. Navigate to Settings > AWS Accounts.

  3. Click Link New Account.

  4. Enter the Account ID and Account Name of your AWS account. The Account Name can be anything that allows you to identify it easily in the UI.

  5. Click Continue.

  6. Choose one of the two options:

    1. Manual setup. "Walk me through it." Select this option for a step-by-step guide in AWS CloudShell. Ideal for those who prefer a structured approach or are new to cloud configurations.

    2. Infra-as-code. "I can do it myself." Choose this if you're experienced with AWS and plan to use CloudFormation, Terraform, or Pulumi. Recommended for users who prefer to manage their setup independently.

  7. Follow the remaining steps to finish linking your AWS account to Scanner.

AWS CloudShell
CloudFormation
Terraform
Pulumi