You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> - The Amazon Web Services S3 connector is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
24
-
25
21
# [S3 connector (new)](#tab/s3)
26
22
27
23
This tab explains how to configure the AWS S3 connector. The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side. Each side's process produces information used by the other side. This two-way authentication creates secure communication.
@@ -52,9 +48,7 @@ This graphic and the following text show how the parts of this connector solutio
52
48
53
49
- The connector reads the message with the path, then fetches the files from the S3 bucket.
54
50
55
-
- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication.
56
-
57
-
For customers in **Azure Government clouds**, Microsoft Sentinel uses a federated web identity provider (Microsoft Entra ID) for authenticating with AWS through OpenID Connect (OIDC), and assuming an AWS IAM role.
51
+
- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses a federated web identity provider (Microsoft Entra ID) for authenticating with AWS through OpenID Connect (OIDC), and assuming an AWS IAM role. The role is configured with a permissions policy giving it access to those resources.
58
52
59
53
## Connect the S3 connector
60
54
@@ -64,9 +58,11 @@ This graphic and the following text show how the parts of this connector solutio
64
58
65
59
- Create a **Simple Queue Service (SQS) queue** to provide notification.
66
60
67
-
- Create an**assumed role** to grant permissions to your Microsoft Sentinel account (external ID) to access your AWS resources.
61
+
- Create a**web identity provider** to authenticate users to AWS through OpenID Connect (OIDC).
68
62
69
-
- Attach the appropriate **IAM permissions policies** to grant Microsoft Sentinel access to the appropriate resources (S3 bucket, SQS).
63
+
- Create an **assumed role** to grant permissions to users authenticated by the OIDC web identity provider to access your AWS resources.
64
+
65
+
- Attach the appropriate **IAM permissions policies** to grant the assumed role access to the appropriate resources (S3 bucket, SQS).
70
66
71
67
We have made available, in our GitHub repository, a script that **automates the AWS side of this process**. See the instructions for [automatic setup](#automatic-setup) later in this document.
72
68
@@ -80,15 +76,17 @@ To simplify the onboarding process, Microsoft Sentinel has provided a [PowerShel
80
76
81
77
The script takes the following actions:
82
78
83
-
- Creates an *IAM assumed role* with the minimal necessary permissions, to grant Microsoft Sentinel access to your logs in a given S3 bucket and SQS queue.
79
+
- Creates an OIDC web identity provider, to authenticate Microsoft Entra ID users to AWS.
80
+
81
+
- Creates an *IAM assumed role* with the minimal necessary permissions, to grant OIDC-authenticated users access to your logs in a given S3 bucket and SQS queue.
84
82
85
83
- Enables specified AWS services to send logs to that S3 bucket, and notification messages to that SQS queue.
86
84
87
85
- If necessary, creates that S3 bucket and that SQS queue for this purpose.
88
86
89
87
- Configures any necessary IAM permissions policies and applies them to the IAM role created above.
90
88
91
-
For Azure Government clouds, a specialized script first creates an OIDC identity provider, to which it assigns the IAM assumed role. It then performs all the other steps above.
89
+
For Azure Government clouds, a specialized script creates a different OIDC web identity provider, to which it assigns the IAM assumed role.
92
90
93
91
### Prerequisites for automatic setup
94
92
@@ -169,19 +167,19 @@ Microsoft recommends using the automatic setup script to deploy this connector.
169
167
170
168
1. Under **Configuration**, expand **Setup with PowerShell script (recommended)**, then copy the **External ID (Workspace ID)** to your clipboard.
171
169
172
-
### Create an AWS assumed role and an Open ID Connect (OIDC) web identity provider
170
+
### Create an Open ID Connect (OIDC) web identity provider and an AWS assumed role
173
171
174
172
1. In a different browser window or tab, open the AWS console.
175
173
176
174
1. Create a **web identity provider**. Follow these instructions in the AWS documentation:<br>[Creating OpenID Connect (OIDC) identity providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
177
175
178
176
| Parameter | Selection/Value | Comments |
179
177
| - | - | - |
180
-
|**Client ID**| Ignore this, you already have it. See **Audience** line below.||
178
+
|**Client ID**|- |Ignore this, you already have it. See **Audience** line below. |
181
179
|**Provider type**|*OpenID Connect*| Instead of default *SAML*.|
3. Create an **IAM assumed role**. Follow these instructions in the AWS documentation:<br>[Creating a role for web identity or OpenID Connect Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create).
0 commit comments