Background

Admins can configure Twingate to send audit logs and network events to their AWS S3 buckets every 5 minutes. This data can be programmatically consumed or sent to a SIEM, providing real time visibility for troubleshooting or investigating Admin actions within Twingate or end user connections across the network.

Configuring your S3 Bucket and permissions

Set up an AWS S3 Bucket

AWS S3 User Guide

Get an Access Key and Secret Access Key

• Open the AWS IAM console
• Go to Users
• Create a User who will have access to the S3 bucket
• Select the user who should have access
• Click Create Access Key
• Save the Access Key and Secret Access Key

Grant your AWS user access to the bucket

AWS S3 User Guide

• Make sure the user has s3:ListBucket and s3:PutObject listed in their policy

Configuring your AWS S3 sync in Twingate

1. Navigate to the Reports page under Settings

2. Click Sync to S3 Bucket to configure your sync

3. Enter your Bucket Name, Access Key ID, and Secret Access Key ID

4. The first synced data should arrive within the next 10 minutes.

Any subsequent audit log and network events will be synced to your S3 bucket every 5 minutes on an ongoing basis.

Troubleshooting

Why is my S3 sync failing?

If you’ve just configured your S3 sync and it immediately fails, you could be running into a configuration issue. Please check that your bucket name, access key, secret access key, and AWS user policies are correct. The AWS user trying to access the bucket should have s3:ListBucket and s3:PutObject policies.

What happens if there are no events to sync?

In the case that there are no events to sync, Twingate will not send files to the S3 bucket. You can confirm that the sync works in the Admin Console by navigating to Settings, then Reports. The S3 sync status will be displayed on the upper right corner as seen below.

I just performed an action that should be reflected in my data. Why am I not seeing it?

Events can take up to 10 minutes to be reflected in the sync.