Skip to main content

AWS S3 Bucket Permissions & Storage Class Required for Archiving

Your AWS S3 bucket must grant Logz.io the right permissions to support Logz.io archiving and data restore.

Minimal permissions

  • Archiving - Logz.io requires s3:PutObject permissions to archive logs to an AWS S3 bucket.
  • Restoring data from archive - Logz.io requires s3:ListBucket and s3:GetObject permissions to restore data from an AWS S3 bucket.

You'll set these permissions for an AWS IAM user or role, depending on which authentication method you choose in Logz.io.

You'll also need the logzio-verified file in your bucket. This file is generated by Logz.io when you enable archiving in your account and is required as part of the Logz.io authentication process.

tip

We recommend allowing all the mentioned permissions so you won't run into any issues when you need to restore.

AWS S3 bucket storage classes

You can determine your own requirements and choose the right S3 object storage class for your needs.

Buckets set to cold storage (S3 Glacier and S3 Glacier Deep Archive storage classes) cannot be restored from, as the files within them are not available for real-time access. See AWS documentation to learn more about storage classes in general and Amazon S3 Storage Classes.

Sample policy

This code block shows a policy with all three permissions enabled:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::XXX", #replace XXX with your bucket's name
"arn:aws:s3:::XXX/*" #replace XXX with your bucket's name
]
}
]
}

Testing your configuration

To test PutObject permissions, you can fill in your credentials on the Archive & restore page, and then click Test connection.

To test for ListBucket and GetObject permissions, you can run tests directly from the AWS CLI.

Test your IAM permissions

Before you begin, you'll need: AWS CLI configured with the IAM credentials you're testing

1. Create a test file

Make a new dummy file for testing purposes.

touch DELETE-logzio-test.txt

2. Run the tests

Test PutObject permissions by moving your dummy file to the bucket:

aws s3 mv DELETE-logzio-test.txt s3://<BUCKET-NAME>/

Test ListBucket permissions by listing the bucket content:

aws s3 ls s3://<BUCKET-NAME>/

Test GetObject permissions by copying your dummy file to the bucket:

aws s3 cp s3://<BUCKET-NAME>/DELETE-logzio-test.txt SUCCESSFUL-GetObject-perms.txt

If all the commands are successful, Logz.io can archive and restore your logs with these credentials.

Add Power search permissions

Setting up your Power search permissions:

  1. Navigate to your AWS account and search for S3.

    Select S3

  2. Choose the relevant bucket on which you want to apply these permissions. It should be the same bucket you've used when setting up your S3 permissions. Once inside, click on Permissions, scroll down to Bucket policy and click on Edit.

    Select S3

  3. Paste the following code inside the policy. Replace the XXX with your bucket's name.

    If you don't have an existing policy, paste this code inside the editor. Otherwise, add this code to the bottom of the page.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::406095609952:user/search-archive-restore-user"
    },
    "Action": [
    "s3:GetObject",
    "s3:ListBucket"
    ],
    "Resource": [
    "arn:aws:s3:::XXX", #replace XXX with your bucket's name
    "arn:aws:s3:::XXX/*" #replace XXX with your bucket's name
    ]
    }
    ]
    }

Edit bucket policy

  1. Click on Save changes to apply the new policy. It might take a few minutes for Logz.io to identify the new policy.

Once the new policy is updated, you'll be able to use Power search when restoring archived logs.