To archive and restore your logs to a S3 bucket, Logz.io needs these permissions:

  • To archive to a bucket, we need s3:PutObject permissions
  • To restore archives, we need s3:ListBucket and s3:GetObject permissions

You’ll set these permissions for an AWS IAM user.

We recommend allowing all three permissions so you won’t run into any issues when you want to restore.

Sample policy

This code block shows a policy for an IAM user with all three permissions enabled:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET-NAME>",
        "arn:aws:s3:::<BUCKET-NAME>/*"
      ]
    }
  ]
}

Testing your configuration

To confirm your IAM user has PutObject permissions, you can fill in your credentials on the Archive & restore page, and then click Test connection.

To test for ListBucket and GetObject permissions, you can use AWS CLI.

To test your IAM user permissions

Before you begin, you’ll need: AWS CLI configured with the IAM user credentials you’re testing

Create a test file

Make a new dummy file for testing purposes.

touch DELETE-logzio-test.txt
Run the tests

Test PutObject permissions by moving your dummy file to the bucket:

aws s3 mv DELETE-logzio-test.txt s3://<BUCKET-NAME>/

Test ListBucket permissions by listing the bucket contents:

aws s3 ls s3://<BUCKET-NAME>/

Test GetObject permissions by copying your dummy file to the bucket:

aws s3 cp s3://<BUCKET-NAME>/DELETE-logzio-test.txt SUCCESSFUL-GetObject-perms.txt

If all the commands are successful, we can archive and restore your logs with these IAM user credentials.