AWS CloudFront

Use Last9’s S3 log ingestion endpoint to ingest logs from AWS Cloudfront. Read the setup guide for more details.

Configuration

Configure an S3 bucket for AWS Cloudfront logs. Last9 can ingest Cloudfront logs from this S3 bucket.

Notify Last9 when new files are created in the S3 bucket

The Last9 AWS S3 ingestion works on evented architecture using an SQS queue per AWS region.
The SQS queue supports all S3 buckets in a region. The Last9 team will share the SQS ARN with you depending on the region in which you want to enable S3 log ingestion.
Once you get the SQS ARN from Last9, enable the event notification in the S3 bucket from which you want to enable logs to be ingested into Last9.
Choose the destination for the event notifications to be ARN of the Last9 SQS queue.

Read more about S3 Event notification here.

STS Assume Role

Attach the following Trust relationship with the Last9 principal user ARN to a role. You can create the role to delegate permissions as per the AWS documentation.

Contact cs@last9.io to get the Last9 principal user ARN to replace <last9-cold-storage-user> in the configuration below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<last9-cold-storage-user>",
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

S3 Access policy

Attach the following IAM policy to the role created in the above step so that the Last9 ingestion pipeline can access the contents of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"]
    }
  ]
}

Share the following information with the Last9 team to initiate ingestion from the S3 bucket.

The STS role ARN.
S3 bucket ARN.