This article describes the S3 bucket configuration required for the SendSafely Audit Log Export. Step 2 is only required if you are using Customer Managed KMS keys for Bucket encryption. Please note that AWS Managed KMS keys are not currently supported.

Step 1:

1) Apply the following cross-account IAM policy to your S3 bucket, where "Resource" is updated with your bucket name. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::371444783282:role/SendSafely-Log-Exporter"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
    ]
}

Default AWS Managed Keys Only

• Name of the bucket
• Optional prefix - The /prefix is the logical hierarchy in the bucket. If you don't specify a prefix, the logs are placed at the root level of the bucket.

This request must be submitted by an Admin in your SendSafely portal and be sent via SendSafely secure message.

Step 2:

Customer managed KMS keys Only

If you are using Customer Managed KMS keys, please complete the following additional step:

2)  In the Key Management Service > Customer Managed Keys section, paste the below into the Key Policy tab. “Resource” should be updated with your desired Customer Managed Key ARN.

{

  "Sid": "SendSafely-Log-Exporter-Access",

  "Effect": "Allow",

  "Principal": {

    "AWS": "arn:aws:iam::371444783282:role/SendSafely-Log-Exporter"

  },

  "Action": [

    "kms:Encrypt",

    "kms:GenerateDataKey*",

    "kms:DescribeKey"

  ],

  "Resource": "[CUSTOMER_MANAGED_KEY_ARN]"

}