Create an S3 bucket policy for the export
Before Immuta can export audit events to your S3 bucket, you need to create a bucket policy that allows the Immuta audit service to add objects to your specified S3 bucket. The following Amazon S3 action will be granted to the audit service in the bucket policy:
: Adds an object to a bucket.
To create the policy for the bucket, you must be the bucket owner.
Follow for adding a bucket policy in the Amazon S3 console. To create the policy for the bucket, you must be the bucket owner.
Edit the JSON in the Policy section to include a bucket policy like the example below. In this example, the policy allows immuta-audit-service (the ) to add objects to customer-bucket-name (and the contents within that bucket).
Note: If you use this example, replace the content in angle brackets with your and bucket name .
Copy {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<INSERT CUSTOMER ACCOUNT NUMBER WITHOUT HYPHENS>:role/<INSERT A ROLE CREATED FOR IMMUTA>"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<INSERT CUSTOMER BUCKET NAME TO RECEIVE EXPORT>/*",
"arn:aws:s3:::<INSERT CUSTOMER BUCKET NAME TO RECEIVE EXPORT>"
]
} ]
}
You can configure your audit export destination using one of two methods:
Using the Immuta CLI
Install the Immuta CLI
Download the binary in a tab below that corresponds to your operating system:
Linux MacOS Windows
Linux x86_64 (amd64)
Copy curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_linux_amd64 && chmod +x immuta
Linux ARMv8 (arm64)
Copy curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_linux_arm64 && chmod +x immuta
Darwin x86_64 (amd64)
Copy curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_darwin_amd64 && chmod +x immuta
Darwin ARMv8 (arm64)
Copy curl -Lo immuta https://immuta-platform-artifacts.s3.amazonaws.com/cli/latest/immuta_cli_darwin_arm64 && chmod +x immuta
Download and add the binary to a directory in your system's $PATH as immuta.exe.
Run immuta configure
in your terminal.
Enter the URL of your Immuta tenant in the interactive prompt.
Enter your Immuta API Key .
Set the following parameters in a JSON or YAML file:
interval : The interval at which audit logs will be exported to your S3 bucket. They can be sent at 2-, 4-, 6-, 12-, or 24-hour intervals.
bucket name : Name of the bucket your audit logs will be sent to.
bucket path : Path to your bucket in Amazon S3.
region : AWS region (such as "us-east-1").
accessKeyId : AWS access key ID.
secretAccessKey : AWS secret access key.
Copy {
"interval": "EVERY_12_HOURS",
"bucket": "your-s3-bucket",
"path": "hr-data",
"region": "us-east-1",
"accessKeyId": "your-access-key-id",
"secretAccessKey": "your-secret-access-key"
}
Configure these settings in Immuta by running the following command:
Copy immuta audit exportConfig create:s3 ./exportConfig.json
List all configurations
To view all of the export configurations created for your instance of Immuta, run the following command:
Copy immuta audit exportConfig list
View a configuration
To review a specific export configuration, run the get command with the export configuration ID as the argument:
Copy immuta audit exportConfig get f7f9e289-f37b-4942-a18d-66d6de6e7cb2
Disable a configuration
To disable a configuration, run the following command with the export configuration ID as the argument:
Copy immuta audit exportConfig disable f7f9e289-f37b-4942-a18d-66d6de6e7cb2
Enable a configuration
To enable a disabled configuration, run the following command with the export configuration ID as the argument:
Copy immuta audit exportConfig enable f7f9e289-f37b-4942-a18d-66d6de6e7cb2
Delete a configuration
To delete an export configuration, run the following command with the export configuration ID as the argument:
Copy immuta audit exportConfig delete f7f9e289-f37b-4942-a18d-66d6de6e7cb2
Using the audit service GraphQL API
Pass the following fields into the $data variable used in the mutation in the next step:
interval : The interval at which audit logs will be exported to your S3 bucket. They can be sent at 2-, 4-, 6-, 12-, or 24-hour intervals.
bucket name : Name of the bucket your audit logs will be sent to.
bucket path : Path to your bucket in Amazon S3.
region : AWS region (such as "us-east-1").
accessKeyId : AWS access key ID.
secretAccessKey : AWS secret access key.
Copy {
"data":{
"interval": "EVERY_12_HOURS",
"bucket": "your-s3-bucket",
"path": "hr-data",
"region": "us-east-1",
"accessKeyId": "your-access-key-id",
"secretAccessKey": "your-secret-access-key"
}
}
Configure these settings in Immuta using the createS3ExportConfiguration
mutation:
Mutation Variable CreateS3ExportConfigurationInput Example Response
Copy mutation createS3ExportConfiguration($data: CreateS3ExportConfigurationInput!) {
createS3ExportConfiguration(data: $data) {
id
interval
endpointConfiguration {
... on S3EndpointConfiguration {
...S3EndpointConfigurationFragment
}
}
}
}
The S3 export configuration to create.
Copy {"data": CreateS3ExportConfigurationInput}
Copy {
"data": {
"createS3ExportConfiguration": {
"id": "4",
"interval": "EVERY_2_HOURS",
"enabled": false,
"endpointConfiguration": S3EndpointConfiguration,
"createdBy": User,
"createdAt": "2007-12-03T10:15:30Z",
"updatedBy": User,
"updatedAt": "2007-12-03T10:15:30Z"
}
}
}
Disable a configuration
To disable a configuration, use the disableExportConfiguration
mutation:
Mutation Variable Response
Copy mutation disableExportConfiguration($id: String!) {
disableExportConfiguration(id: $id) {
id
interval
enabled
endpointConfiguration {
... on S3EndpointConfiguration {
...S3EndpointConfigurationFragment
}
}
createdBy {
...UserFragment
}
createdAt
updatedBy {
...UserFragment
}
updatedAt
}
}
The ID of the export configuration to disable.
Copy {
"data": {
"disableExportConfiguration": {
"id": "4",
"interval": "EVERY_2_HOURS",
"enabled": true,
"endpointConfiguration": S3EndpointConfiguration,
"createdBy": User,
"createdAt": "2007-12-03T10:15:30Z",
"updatedBy": User,
"updatedAt": "2007-12-03T10:15:30Z"
}
}
}
Enable a configuration
To enable a disabled configuration, use the enableExportConfiguration
mutation:
Mutation Variable Response
Copy mutation enableExportConfiguration($id: String!) {
enableExportConfiguration(id: $id) {
id
interval
enabled
endpointConfiguration {
... on S3EndpointConfiguration {
...S3EndpointConfigurationFragment
}
}
createdBy {
...UserFragment
}
createdAt
updatedBy {
...UserFragment
}
updatedAt
}
}
The ID of the export configuration to enable.
Copy {
"data": {
"enableExportConfiguration": {
"id": 4,
"interval": "EVERY_2_HOURS",
"enabled": true,
"endpointConfiguration": S3EndpointConfiguration,
"createdBy": User,
"createdAt": "2007-12-03T10:15:30Z",
"updatedBy": User,
"updatedAt": "2007-12-03T10:15:30Z"
}
}
}