Audit Logs AWS Configuration

Audit logs set up

As part of enabling audit log shipping to your AWS S3 bucket, you need to create an AWS IAM role that Contentful can assume. This will allow Contentful to securely transfer audit logs to your AWS S3 bucket without the need to store any credentials.

Prerequisites

• An AWS account with permissions to create IAM roles and edit S3 bucket policies.
• Contentful's AWS account ID: 606137763417.

Step 1: Create an S3 Bucket

1. Log in to your AWS Management Console.
2. Navigate to S3, click Create bucket.
3. Enter a unique bucket name and select the region where you want the bucket to reside. Note: you will need to enter this name later.
4. Configure options as required (e.g., versioning, logging, tags).
5. Review and create the bucket.

Step 2: Create a New IAM Policy

1. Log in to your AWS Management Console.
2. Navigate to IAM -> Policies -> Create policy.
3. Select the JSON tab and paste the following policy, replacing with the name of your S3 bucket (from Step 1). Make sure to keep the /* at the end:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<Your-S3-Bucket-Name>/*"
    }
  ]
}

4. Click Next, give it a meaningful name and description, and then click Create.

Step 3: Create a New IAM Role for Cross-Account Access

1. In the IAM dashboard, go to Roles -> Create role.
2. Select AWS Account under the "Trusted entity type" section, then in the section below select Another AWS account and enter Contentful's AWS account ID: 606137763417.
3. Enable the option Require external ID and insert your Contentful organization ID. The primary function of the external ID is to address and prevent the confused deputy problem. You can find the organization ID in the Contentful web app.
4. Click Next, skip attaching permissions policies now (we will attach the policy created in Step 2).
5. Review, name the role, and then create it.

Step 4: Attach the Policy to the IAM Role

1. Go to the newly created role in IAM -> Roles.
2. Under "Permissions" in the Add permissions dropdown, click Attach policies.
3. Find the policy you created in Step 2, select it, and then click Add permission.

Step 5: Configure Your S3 Bucket Policy

1. Go to S3, find your bucket from Step 1, and then click Permissions.
2. Edit the Bucket policy and add the following statement, replacing with the ARN of the IAM role you created in Step 3 and <Your-S3-Bucket-Name> with the name of your S3 bucket. Make sure to keep the /* at the end of the bucket ARN:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<Your-IAM-Role-ARN>"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<Your-S3-Bucket-Name>/*"
    }
  ]
}

3. Save the changes.

Step 6: Provide Contentful with the Necessary Information

Send the following details to Contentful:

• Your AWS account ID.
• The ARN of your S3 Bucket.
• The ARN of the IAM role you created.
• AWS Region.
• Your Contentful organization ID (the one you used as the external ID in Step 3).
• Any specific paths or prefixes within your S3 bucket where logs should be placed.

By following these steps, you've securely enabled Contentful to ship logs to your AWS S3 bucket. Contentful will use AWS STS to assume the role you've created, ensuring a secure and efficient transfer of audit log data.