Skip to main content

Amazon S3 Audit Log Export

ALTR enables clients to export audit log data to an AWS S3 bucket which can then be ingested into logging tools or used to trigger notifications in external systems. For instance, you can use the System Audits generated whenever a threshold is triggered to send an email to relevant parties about the threshold violation, or you can include information regarding all queries on sensitive data into your organizations Splunk logs. Audit logs are partitioned in S3 based on event time.

Configuring an S3 Bucket for Audit Log Export

Follow these steps to configure the S3 bucket. The S3 bucket can exist in any AWS region.

  1. Login to the AWS console name and create a bucket.

    1. Accept all default values for bucket creation.

  2. Once the bucket is configured, contact your ALTR representative to obtain ALTR's AWS Account ID.

  3. Create an IAM Policy

    In order to authorize your ALTR client to put objects into the S3 bucket you must create an IAM policy granting the s3:PutObject action. Follow the steps below to create the IAM policy.

    1. In the Finder Services text box, type the IAM keyword.

    2. Click on the IAM keyword and click on the Policies menu item.

    3. Click on the Create Policy button.

    4. Click on JSON tab and insert the policy below replacing the configuration item with the name of the bucket you created in previous steps.

    5. Click on the Review Policy button.

    6. Name the policy, for example “acme.s3.policy”.

    7. You should now see it listed as one of the available policies.

    IAM Policy Example

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "ALTR0",
                "Effect": "Allow",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::[bucket]/*"
            }
        ]
    }
            
  4. Configure an IAM Role

    The ALTR platform will use an IAM Role to ensure it has authorization to write objects into the S3 bucket. This IAM Role will have the IAM Policy attached for granting the appropriate permissions.

    1. Click on the Create a Role button.

    2. Select the s3 use case and click on the Next Permissions button.

    3. Search for your newly created IAM policy and click on the check box next to its name.

    4. Click on the Next:tags button.

    5. Click on the Next:Review button.

    6. Insert a role name.  The name must start with 'ALTRPublishSIEMData. For example: “ALTRPublishSIEMDataMyRoleName”.

    7. Click on the Create Role button.

    8. Attach the IAM policy you created in the previous steps to the role.

    9. Save the role. Open the newly created role, click on the Trust Relationships tab, and click on the Edit Trust Relationship button. Insert the following JSON document replacing the text between “< >” with your account ID and client ID. Please contact your ALTR representative for your ALTR account ID. Your client ID can be found in ALTR by navigating to SettingsPreferencesOrganization.

    10. Copy the role’s ARN to a temporary location. You will need this ARN in the Configure S3 Integration in ALTR Portal.

    JSON Object for IAM Role

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::[ALTR-PROVIDED-ACCOUNT-ID]:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": ["[client-id]"]
            }
          }
        }
      ]
    }
            
  5. Configure S3 Integration in the ALTR Portal

    Caution

    Only US-East-1 buckets are supported in ALTR's portal; buckets in other regions can only be configured via API. For help, reach out to support@altr.com.

    1. Log in to the ALTR DB portal.

    2. Navigate to SettingsPreferencesOrganization

    3. Insert your bucket name into the S3 Integration “S3 Bucket Name” field.

    4. Copy the IAM Role’s ARN you saved from previous steps and paste it into the “ARN for IAM Role” field.

    5. Click on Test Access. You should receive a success message.

    6. You now have options of what data to send. You can activate both the “Alerts” and “Query Audits” or disable either option.

Example JSON Outputs in AWS S3

Example S3 JSON Object for Query Audit Logs

{
    "eventID": "QUERY-AUDIT-1C42465E-4BF2-4E83-90D6-F6FBCAC03634", // Event GUID automatically generated by ALTR
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634",  // This is the ALTR client/organization ID for the tenant in which the log was generated.
    "eventDetails": {
        "actor": { //Details on the actor that executed the query, such as role, IP address, and username
            "queryTag": {},
            "roles": [
                "SAMPLE_ROLE"
            ],
            "ipAddress": "192.168.1.1",
            "client": "Go 1.1.5",
            "currentRole": "SAMPLE_ROLE",
            "username": "SAMPLE_USER"
        },
        "result": { //Details on the results of the query, including the number of rows produced and which ALTR access controls affected the query
            "tagPolicy": { //Details on the access controls that affected the query via ALTR's Snowflake Object Tag-based policy integration
                "queryTimeDecision": [ //Policy enforced as the query executed. This impacts the data returned to the user.
                    {
                        "tagValue": "Red",
                        "policyInfo": [],
                        "tagName": "EXAMPLETAG",
                        "appliedPolicy": {
                            "reason": "Allowed - no accessed tags are in any policies.",
                            "decisionType": "ALLOW",
                            "type": "user_status"
                        }
                    }
                ],
                "auditTimeDecision": [ //Policy enforced when ALTR generated the audit log for this query. This impacts any after-the-fact triggered thresholds and alerts.
                    {
                        "tagValue": "Red",
                        "policyInfo": [
                            {
                                "maskingType": "Full Mask",
                                "name": "EXAMPLE_POLICY_NAME",
                                "id": 1234,
                                "type": "lock"
                            }
                        ],
                        "tagName": "EXAMPLETAG",
                        "appliedPolicy": {
                            "reason": "Most permissive policy.",
                            "maskingType": "Full Mask",
                            "name": "EXAMPLE_POLICY_NAME",
                            "decisionType": "MOST_PERMISSIVE",
                            "id": 1234,
                            "type": "lock"
                        }
                    }
                ]
            },
            "columnPolicy": [],
            "rowCount": 1234
        },
        "query": { //Details on the query itself, such as the warehouse it ran on, the query text, and the Snowflake Query ID
            "warehouseSize": "X-Small",
            "completedTime": "2020-01-01 00:00:00.000000000Z",
            "completedTimeEpoch": 946702800000,
            "startTime": "2020-01-01 00:00:00.000000000Z",
            "startTimeEpoch": 946702800000,
            "id": "01b123a2-0603-e937-006a-b60300c5f902",
            "text": "SELECT FIRST_NAME FROM CUSTOMER_DATA WHERE ID = ‘literal_string’ LIMIT literal_number;",
            "sessionID": "30036471543391118",
            "warehouse": "ALTR_PRODUCT_WH",
            "type": "SELECT"
        },
        "account": { //Details on the Snowflake account in which the query ran
            "identifier": "FYA81038",
            "region": "AWS_US_WEST_2"
        }
    },
    "eventVersion": "1.0.0", //Event version, automatically generated by ALTR
    "eventTime": 946702800000, //Event time automatically generated by ALTR - typically the query completed time.
    "eventSource": "SnowflakeCI", //The ALTR application that triggered the event
    "eventName": "SnowflakeCI:QueryAudit", //The event type
    "userIdentity": { //Details on the ALTR agent that triggered the event
        "type": "SnowflakeALTRAPI",
        "databaseID": "1234"
    }
}			

Example S3 JSON Object for System Audit Logs

{
    "eventTime": 946702800000, //the time the event occurred
    "eventVersion": "1.0.0", //the event version, automatically generated by ALTR
    "eventSource": "Master API", //the source of the event, either API or UI
    "eventID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", //A GUID for the event, automatically generated by ALTR
    "eventName": "Create Lock", //The type of event
    "error": {}, //The error triggered by the event, if applicable
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", //The ALTR organization/client ID for the event
    "responseCode": 201, //The API response code for the event
    "category": "Locks", //the category of event
    "userIdentity": { //Information on the actor and authentication method that triggered the event
        "principalid": 123,
        "role": "SUPERADMINISTRATOR",
        "type": "JWT"
    },
    "lockAudit": { //details specific to the event type
        "id": 1234,
        "groupIds": [
            12345
        ],
        "applicationIds": [
            123
        ],
        "tags": [
            {
                "tagId": "dis-tags-1c42465e-4bf2-4e83-90d6-f6fbcac03634",
                "maskingPolicy": 10001
            }
        ]
    },
    "columnAudit": {},
    "administratorAudit": {},
    "thresholdAudit": {},
    "anomalyAudit": {},
    "applicationAudit": {},
    "databaseAudit": {},
    "usergroupAudit": {},
    "apikeysAudit": {}
}

Example S3 JSON Object for Custom Audit Logs

{
    "eventID": "custom-audit-1c42465e-4bf2-4e83-90d6-f6fbcac03634", // Event GUID automatically generated by ALTR
    "eventTime": 946702800000, // Event timestamp generated by ALTR as milliseconds from epoch. This may be the customer-supplied time or the time ALTR ingested the event.
    "eventTimeSupplied": 946702800000, // This is the customer-supplied even time as milliseconds from epoch. This will be the EventTime if no time is provided.
    "eventVersion": "1.0.0", // This is the version of the custom audit log format, automatically generated by ALTR.
    "eventSource": "SnowflakeCI", // This is the source of the custom audit log, automatically generated by ALTR.
    "eventName": "SnowflakeCI:CustomAudit", // This is the name of the log category, automatically generated by ALTR.
    "eventType": "LOGIN", // This is the customer-supplied event type.
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", // This is the ALTR client/organization ID for the tenant in which the log was generated, automatically generated by ALTR.
    "userIdentity": {
        "type": "SnowflakeALTRAPI",
        "databaseID": "123" 
    }, // This is information regarding which agent submitted the audit event, automatically generated by ALTR.
    "eventDetails": "{\"first_authentication_factor\":\"PASSWORD\",\"user_name\":\"EXAMPLE_USER\",\"client_ip\":\"192.168.1.1\"}" // These are the customer-supplied details of the event, formatted as stringified JSON.
}