Skip to main content

Amazon S3 Audit Log Export

Export audit log data to an AWS S3 bucket, which can then be ingested into logging or analytical tools or used to trigger notifications in external systems. For instance, you can use the System Audits generated when an alert is triggered to send an email to relevant parties about the violation, or you can include information regarding all queries on sensitive data into your organizations Splunk logs. Audit logs are partitioned in S3 based on event time.

Note

To configure S3 integration, you will be switching between ALTR and AWS. Have two windows open - one for ALTR and one for AWS - to facilitate this configuration.

At a high level, to publish audit logs to your AWS S3 bucket:

In order to configure S3 integration with ALTR, you need ALTR’s AWS Account ID. This ID is used to create the IAM role.

To request ALTR’s AWS Account ID, contact ALTR Support.

ALTR publishes audit logs to your S3 bucket, which is a folder in AWS. To configure S3 with ALTR, you need the bucket name and AWS region configured for the bucket.

To create an S3 bucket:

  1. Login to AWS S3.

  2. Take note of the AWS region; you will need the region when configuring S3 integration. A bucket is created in a designated AWS region. To view or change the region, click Region in the navigation bar.

  3. Click Create bucket.

  4. Enter a unique Bucket name. Buckets can be created in different regions but are globally unique. Accept all default values for bucket creation.

  5. Click Create bucket.

Before you begin the S3 integration with ALTR, make sure you have

  • ALTR’s AWS Account ID

  • your S3 bucket name

  • the AWS Region where your bucket resides

To begin the configuration of S3 integration:

  1. Log into ALTR.

  2. Select SettingsPreferences in the Navigation menu.

  3. Click the Organization tab.

  4. Under the S3 Integration section, click Configure.

  5. Enter ALTR’s AWS Account ID.

  6. Enter the S3 Bucket Name exactly as created in AWS.

  7. Select the AWS Region where the bucket is located. This region must match the region configured for the bucket in AWS. The default is us-east-1.

  8. Set up the IAM policy and role before finishing the configuration of S3 integration.

ALTR needs permission to write to your S3 bucket. This is done by creating an IAM Policy and attaching it to a Role that grants write access to ALTR.

ALTR facilitates the configuration of S3 integration by providing JSON code that dynamically inputs your bucket name, ALTR organization ID and ALTR’s AWS account ID.

  • IAM policy—is attached to the role that grants ALTR permission to write audits to your S3 bucket. ALTR users your ALTR organization ID, which is your external ID, to grant permission.

  • IAM role—allows ALTR to write to your S3 bucket. ALTR users the ALTR AWS Account ID to write to the bucket. Once created, the ARN for the IAM role is generated, which is the ID of the role that ALTR will be assuming.

Create an IAM Policy

This policy grants the IAM role permission to write to your bucket. Use the policy JSON code provided in ALTR.

To create an IAM policy in AWS:

  1. From the S3 Integration settings in ALTR, verify the S3 Bucket Name and AWS Region have been provided.

  2. Copy the IAM policy JSON code. This has been dynamically configured with your bucket name to easily create the policy.

  3. Log into AWS to create an IAM policy.

  4. In the IAM, click the Policies menu.

  5. Click Create policy.

  6. Select S3 from the Service dropdown.

  7. Click the JSON tab.

  8. Insert the policy JSON code copied from ALTR into the Policy editor. This JSON code restricts access to only this bucket and sets the write access to PutObject. Whoever assumes this role can only write to this bucket.

  9. Click Next.

  10. Enter a Policy name, e.g., acme.s3.policy. Copy this name; it is needed in the next step to create the IAM role.

  11. (Optional) Enter a Description.

  12. Click Create policy. Your new policy is now listed as an available policy.

Create an IAM Role

This role allows ALTR to assume permission to write to your bucket. This IAM Role will have the IAM Policy attached for granting the appropriate permissions.

When creating the role:

  • Name the role using the prefix “ALTRPublishSIEMData", e.g., ALTRPublishSIEMDataMyRoleName.

  • Use the JSON code in ALTR to create the role. This code dynamically inserts your ALTR Organization ID and ALTR’s AWS Account ID.

Once the role is created, the ARN for IAM Role is generated, which is the ID of the role that ALTR will be assuming. This ARN is entered into ALTR when configuring S3 integration.

To create an IAM role:

  1. From the S3 Integration settings in ALTR, verify ALTR’s AWS Account ID has been provided.

  2. Copy the IAM role JSON code. This has been dynamically configured with your ALTR organization ID (pulled from your ALTR account) and ALTR’s AWS Account ID to easily create the role.

  3. In the IAM, click the Roles menu item.

  4. Click Create role.

  5. Select the AWS service trusted entity type.

  6. Select S3 from the Service or use case dropdown.

  7. Click Next.

  8. Search for your newly created IAM policy and click the check box next to its name. This step associates the IAM policy with the role.

  9. Click Next.

  10. Enter a Role name. The name must start with "ALTRPublishSIEMData", e.g., ALTRPublishSIEMDataMyRoleName.

  11. (Optional) Enter a Description.

  12. Click Create role.

  13. Search for and select your newly created IAM role to add the JSON copied from ALTR.

  14. Click the Trusted relationships tab.

  15. Click Edit trust policy.

  16. Replace the JSON in Edit trust policy with the role JSON code copied from ALTR. This JSON code uses your ALTR Organization ID and your Account ID to allow ALTR to write to your S3 bucket.

  17. Click Update policy; the policy summary displays.

  18. Locate the ARN in the role summary and click the copy icon. You will need this ARN in the final step to complete S3 configuration in ALTR.

To finish configuring the S3 integration:

  1. In ALTR, return to the S3 integration settings.

  2. Paste the ARN for IAM Role from the role you created in AWS.

  3. Select the audit logs to be exported to your S3 bucket.

    Note

    Vaulted Tokenization Audits are only available if your organization has access to this feature.

  4. (Optional) Click Test Access to ensure the integration was properly configured. If the test fails, ensure the integration has been correctly configured. If the error persists, contact ALTR Support for assistance.

    Note

    Once the configuration has been successfully saved, you are unable to change the AWS S3 integration details from ALTR. To update these AWS settings, contact ALTR Support.

  5. Click Save. Access is tested and if successful, S3 integration is correctly configured.

Once S3 integration has been configured, you can update the audit logs exported from ALTR to your S3 bucket.

Note

You must contact ALTR Support in order to update any of the following integration details:

  • ARN for IAM Role

  • AWS Region

  • S3 Bucket Name

To update S3 configuration:

  1. Select SettingsPreferences in the Navigation menu.

  2. Click the Organization tab.

  3. Under the S3 Integration section, click Edit.

  4. Update the audit log selection.

  5. Click Save.

{
    "eventID": "QUERY-AUDIT-1C42465E-4BF2-4E83-90D6-F6FBCAC03634", // Event GUID automatically generated by ALTR
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634",  // This is the ALTR client/organization ID for the tenant in which the log was generated.
    "eventDetails": {
        "actor": { //Details on the actor that executed the query, such as role, IP address, and username
            "queryTag": {},
            "roles": [
                "SAMPLE_ROLE"
            ],
            "ipAddress": "192.168.1.1",
            "client": "Go 1.1.5",
            "currentRole": "SAMPLE_ROLE",
            "username": "SAMPLE_USER"
        },
        "result": { //Details on the results of the query, including the number of rows produced and which ALTR access controls affected the query
            "tagPolicy": { //Details on the access controls that affected the query via ALTR's Snowflake Object Tag-based policy integration
                "queryTimeDecision": [ //Policy enforced as the query executed. This impacts the data returned to the user.
                    {
                        "tagValue": "Red",
                        "policyInfo": [],
                        "tagName": "EXAMPLETAG",
                        "appliedPolicy": {
                            "reason": "Allowed - no accessed tags are in any policies.",
                            "decisionType": "ALLOW",
                            "type": "user_status"
                        }
                    }
                ],
                "auditTimeDecision": [ //Policy enforced when ALTR generated the audit log for this query. This impacts any after-the-fact triggered thresholds and alerts.
                    {
                        "tagValue": "Red",
                        "policyInfo": [
                            {
                                "maskingType": "Full Mask",
                                "name": "EXAMPLE_POLICY_NAME",
                                "id": 1234,
                                "type": "lock"
                            }
                        ],
                        "tagName": "EXAMPLETAG",
                        "appliedPolicy": {
                            "reason": "Most permissive policy.",
                            "maskingType": "Full Mask",
                            "name": "EXAMPLE_POLICY_NAME",
                            "decisionType": "MOST_PERMISSIVE",
                            "id": 1234,
                            "type": "lock"
                        }
                    }
                ]
            },
            "columnPolicy": [],
            "rowCount": 1234
        },
        "query": { //Details on the query itself, such as the warehouse it ran on, the query text, and the Snowflake Query ID
            "warehouseSize": "X-Small",
            "completedTime": "2020-01-01 00:00:00.000000000Z",
            "completedTimeEpoch": 946702800000,
            "startTime": "2020-01-01 00:00:00.000000000Z",
            "startTimeEpoch": 946702800000,
            "id": "01b123a2-0603-e937-006a-b60300c5f902",
            "text": "SELECT FIRST_NAME FROM CUSTOMER_DATA WHERE ID = ‘literal_string’ LIMIT literal_number;",
            "sessionID": "30036471543391118",
            "warehouse": "ALTR_PRODUCT_WH",
            "type": "SELECT"
        },
        "account": { //Details on the Snowflake account in which the query ran
            "identifier": "FYA81038",
            "region": "AWS_US_WEST_2"
        }
    },
    "eventVersion": "1.0.0", //Event version, automatically generated by ALTR
    "eventTime": 946702800000, //Event time automatically generated by ALTR - typically the query completed time.
    "eventSource": "SnowflakeCI", //The ALTR application that triggered the event
    "eventName": "SnowflakeCI:QueryAudit", //The event type
    "userIdentity": { //Details on the ALTR agent that triggered the event
        "type": "SnowflakeALTRAPI",
        "databaseID": "1234"
    }
}			
{
    "eventTime": 946702800000, //the time the event occurred
    "eventVersion": "1.0.0", //the event version, automatically generated by ALTR
    "eventSource": "Master API", //the source of the event, either API or UI
    "eventID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", //A GUID for the event, automatically generated by ALTR
    "eventName": "Create Lock", //The type of event
    "error": {}, //The error triggered by the event, if applicable
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", //The ALTR organization/client ID for the event
    "responseCode": 201, //The API response code for the event
    "category": "Locks", //the category of event
    "userIdentity": { //Information on the actor and authentication method that triggered the event
        "principalid": 123,
        "role": "SUPERADMINISTRATOR",
        "type": "JWT"
    },
    "lockAudit": { //details specific to the event type
        "id": 1234,
        "groupIds": [
            12345
        ],
        "applicationIds": [
            123
        ],
        "tags": [
            {
                "tagId": "dis-tags-1c42465e-4bf2-4e83-90d6-f6fbcac03634",
                "maskingPolicy": 10001
            }
        ]
    },
    "columnAudit": {},
    "administratorAudit": {},
    "thresholdAudit": {},
    "anomalyAudit": {},
    "applicationAudit": {},
    "databaseAudit": {},
    "usergroupAudit": {},
    "apikeysAudit": {}
}
{
    "eventID": "custom-audit-1c42465e-4bf2-4e83-90d6-f6fbcac03634", // Event GUID automatically generated by ALTR
    "eventTime": 946702800000, // Event timestamp generated by ALTR as milliseconds from epoch. This may be the customer-supplied time or the time ALTR ingested the event.
    "eventTimeSupplied": 946702800000, // This is the customer-supplied even time as milliseconds from epoch. This will be the EventTime if no time is provided.
    "eventVersion": "1.0.0", // This is the version of the custom audit log format, automatically generated by ALTR.
    "eventSource": "SnowflakeCI", // This is the source of the custom audit log, automatically generated by ALTR.
    "eventName": "SnowflakeCI:CustomAudit", // This is the name of the log category, automatically generated by ALTR.
    "eventType": "LOGIN", // This is the customer-supplied event type.
    "clientID": "1c42465e-4bf2-4e83-90d6-f6fbcac03634", // This is the ALTR client/organization ID for the tenant in which the log was generated, automatically generated by ALTR.
    "userIdentity": {
        "type": "SnowflakeALTRAPI",
        "databaseID": "123" 
    }, // This is information regarding which agent submitted the audit event, automatically generated by ALTR.
    "eventDetails": "{\"first_authentication_factor\":\"PASSWORD\",\"user_name\":\"EXAMPLE_USER\",\"client_ip\":\"192.168.1.1\"}" // These are the customer-supplied details of the event, formatted as stringified JSON.
}

Alerts were previously referred to as anomalies.

{
    "id": 1274,
    "dt": "2025-03-11T20:31:39.000Z",
    "clientId": "ae5860dc-08e6-446b-8226-848fd54e0195",
    "user": {
        "id": 346,
        "trackingId": "NOAH",
        "accessStatus": "active"
    },
    "groups": [
        {
            "id": 740668,
            "name": "FINANCE",
            "description": "",
            "groupTag": "FINANCE"
        },
        {
            "id": 740669,
            "name": "FINANCE_MANAGER",
            "description": "",
            "groupTag": "FINANCE_MANAGER"
        }
    ],
    "application": {
        "id": 0,
        "name": "",
        "description": "",
        "serverStatus": "",
        "accessStatus": "",
        "creationDate": ""
    },
    "fields": [
        {
            "columnName": "FIRST_NAME",
            "databaseName": "NOAH_DEMO_DB_0",
            "tableName": "PUBLIC.CUSTOMERS"
        },
        {
            "columnName": "SSN",
            "databaseName": "NOAH_DEMO_DB_0",
            "tableName": "PUBLIC.CUSTOMERS"
        },
        {
            "columnName": "ID",
            "databaseName": "NOAH_DEMO_DB_0",
            "tableName": "PUBLIC.CUSTOMERS"
        }
    ],
    "machineId": 0,
    "locks": [
        {
            "id": 2793,
            "name": "Finance Lock"
        }
    ],
    "rule": {},
    "threshold": {
        "id": 244,
        "name": "Finance Block Threshold",
        "accessRate": 1000,
        "accessRateUnit": "minute",
        "actionTaken": "Block"
    },
    "clientName": "Noah Live Demo Org",
    "schema_version": "v1.1.0"
}