Syncing Data to AWS S3
Background
Admins can configure Twingate to send audit logs, network events, and DNS filtering logs to their AWS S3 buckets every 5 minutes. This data can be programmatically consumed or sent to a SIEM, providing real time visibility for troubleshooting or investigating Admin actions within Twingate or end user connections across the network.
Configuring your S3 Bucket and permissions
Set up an AWS S3 Bucket
Get an Access Key and Secret Access Key
- Open the AWS IAM console
- Go to Users
- Create a User who will have access to the S3 bucket
- Select the user who should have access
- Click Create Access Key
- Save the Access Key and Secret Access Key
Grant your AWS user access to the bucket
- Make sure the user has
s3:ListBucket
ands3:PutObject
listed in their policy
Configuring your AWS S3 sync in Twingate
1. Navigate to the Reports page under Settings
2. Click Sync to S3 Bucket to configure your sync
3. Enter your Bucket Name, Access Key ID, and Secret Access Key ID
4. The first synced data should arrive within the next 10 minutes.
Any subsequent audit log and network events will be synced to your S3 bucket every 5 minutes on an ongoing basis.
Troubleshooting
Why is my S3 sync failing?
If you’ve just configured your S3 sync and it immediately fails, you could be running into a configuration issue. Please check that your bucket name, access key, secret access key, and AWS user policies are correct. The AWS user trying to access the bucket should have s3:ListBucket
and s3:PutObject
policies.
What happens if there are no events to sync?
In the case that there are no events to sync, Twingate will not send files to the S3 bucket. You can confirm that the sync works in the Admin Console by navigating to Settings, then Reports. The S3 sync status will be displayed on the upper right corner as seen below.
I just performed an action that should be reflected in my data. Why am I not seeing it?
Events can take up to 10 minutes to be reflected in the sync.
Last updated 5 months ago