Overview

Please note this In-App option is for S3 Access Log ingestion only, for all other use cases refer to our Client Side option. To set up the AWS integration manually, create an IAM policy and IAM role in your AWS account, and configure the role with an AWS External ID generated in your Bronto account. This allows Bronto’s AWS account to query AWS APIs on your behalf, and pull data into your Bronto account. The sections below detail the steps for creating each of these components, and then completing the setup in your Bronto account.

Setup

1

Generate an AWS External ID

In the AWS integration configuration page, click the “Add New AWS Account” button.
2

Enter your AWS account ID in the “AWS Account ID” field and click “Generate External ID”. The ID will be generated and available for you to copy. For more information on AWS External IDs**, **see the IAM user guide.
3

AWS IAM role for Bronto

Create a new role in the AWS IAM Console.
4

Select Custom trust policy for the trusted entity type and paste the trust policy below. (Note: don’t forget to copy in your External ID generated on the integration page)
5

Skip the permission policy section as it will be created after the role.
6

Name the role BrontoBytesIntegration-AWSRole, and provide an apt description.
7

Click Create Role.
8

AWS IAM policy for Bronto

Create an IAM policy for the BrontoBytes role in your AWS account with the necessary permissions to take advantage of every AWS integration offered by BrontoBytes. As other components are added to an integration, these permissions may change.Go to the newly created BrontoBytesIntegration-AWSRole role in the AWS IAM Console.
9

Click Add Permissions and choose Create inline policy.
10

Paste the BrontoBytes Integration Policy below.
11

Click Next to review your changes.
12

Name the policy BrontoBytesIntegrationPolicy or one of your own choosing, and provide an apt description.
13

Click Create policy.
14

AWS IAM Permissions

AWS IAM permissions enable Bronto to collect metrics, tags, EventBridge events, and other data necessary to monitor your AWS environment.To correctly set up the AWS Integration, you must attach the relevant IAM policies to the Bronto AWS Integration IAM Role in your AWS account.

AWS Integration IAM Custom Trust Policy

Don’t forget to copy in your External ID generated on the integration page
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BrontoBytesAssumeRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::637423326566:role/BrontoBytesAWSIntegration"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<External ID created in your BrontoBytes account>"
                }
            }
        }
    ]
}

Bronto Integration Policy

The below config needs to be updated first before pasting. BUCKET_NAMEis the name of the S3 bucket that contains the log data and PREFIX is the path to the parent folder where the logs are actually stored.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<PREFIX>/*",
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        }
    ]
}

S3 Notifications

The final step is to enable notifications for your S3 bucket. This will allow Bronto to receive notifications when new objects are added to your bucket.Go to the S3 console and find the bucket you want to enable notifications for.
15

Choose the Properties tab and scroll down to Event notifications
16

Click Create event notification
17

Set the event type to All object create events
18

Set the destination to SNS Topic and enter ARN that matches the region where your bucket is:
  • EU West 1 
    arn:aws:sns:eu-west-1:637423326566:brontobytes-aws-ingestion
  • US East 1 
    arn:aws:sns:us-east-1:637423326566:brontobytes-aws-ingestion