Security events export with Amazon S3

You can automatically export Security Events to Amazon S3, a cloud storage provider, with a daily job that runs at midnight UTC. Once set up, you don’t need to manually export Security Events from the dashboard.

Braze supports two different S3 authentication and authorization methods for setting up Amazon S3 export:

• AWS secret access key method
• AWS role ARN method

AWS secret access key method

This method generates a secret key and an access key ID that allows Braze to authenticate as a user on your AWS account to write data to your bucket.

Step 1: Create an in-app message user

To retrieve your secret access key and access key ID, you’ll need to create an in-app message user, following the instructions in Setting up your AWS account.

Step 2: Get credentials

1. After creating a new user, generate the access key and download your access key ID and secret access key.

2. Take note of these credentials somewhere or download the credential files, because you’ll need to input these into Braze later on.

Step 3: Create policy

1. Go to IAM > Policies > Create Policy to add permissions for your user.
2. Select Create Your Own Policy, which gives limited permissions so Braze can only access the specified buckets.
3. Specify a policy name of your choice.
4. Input the following code snippet into the Policy Document section. Be sure to replace “INSERTBUCKETNAME” with your bucket name. Without these permissions, the integration will fail a credentials check and not be created.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
            "Resource": ["arn:aws:s3:::INSERTBUCKETNAME"]
        },
        {
            "Effect": "Allow",
            "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
            "Resource": ["arn:aws:s3:::INSERTBUCKETNAME*", "arn:aws:s3:::INSERTBUCKETNAME/", "arn:aws:s3:::INSERTBUCKETNAME"]
        }
    ]
}

Step 4: Attach policy

1. After creating a new policy, go to Users and select your specific user.
2. In the Permissions tab, select Add Permissions, directly attach the policy, and then select that policy.

Now, you’re ready to link your AWS credentials to your Braze account!

Step 5: Link Braze to AWS

1. In Braze, go to Settings > Company Settings > Admin Settings > Security Settings and scroll to the Security Event Download section.
2. Toggle on Export to AWS S3 under Export to cloud storage and select AWS secret access key, which enables the S3 export.
3. Input the following:
   • AWS access key ID
   • AWS secret access key
   • When inputting this key, first select Test Credentials to confirm your credentials work. - AWS bucket name

4. Select Save Changes.

You’ve integrated AWS S3 into your Braze account!

AWS role ARN method

The AWS role ARN method generates a role Amazon Resource Name (ARN) that allows the Braze Amazon account to authenticate as a member of that role.

Step 1: Create policy

1. Sign in to the AWS management console as an account administrator.
2. In the AWS console, go to the IAM section > Policies, and then select Create Policy.

3. Open the JSON tab and input the following code snippet into the Policy Document section. Be sure to replace INSERTBUCKETNAME with your bucket name.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["s3:ListBucket", "s3:GetBucketLocation"],
            "Resource": ["arn:aws:s3:::INSERTBUCKETNAME"]
        },
        {
            "Effect": "Allow",
            "Action": ["s3:PutObject", "s3:GetObject","s3:DeleteObject"],
            "Resource": ["arn:aws:s3:::INSERTBUCKETNAME/*"]
        }
    ]
}

4. Select Next after reviewing the policy.

5. Give the policy a name and description, and then select Create Policy.

Step 2: Create role

1. In Braze, go to Settings > Company Settings > Admin Settings > Security Settings and scroll to the Security Event Download section.
2. Select AWS Role ARN.
3. Take note of the identifiers, Braze account ID, and Braze external ID needed to create your role.

1. In the AWS console, go to the IAM section > Roles > Create Role.
2. Select Another AWS Account as the trusted entity selector type.
3. Provide your Braze account ID, check the Require external ID box, and then enter your Braze external ID.
4. Select Next when complete.

Step 3: Attach policy

1. Search for the policy you created earlier in the search bar, and then place a checkmark next to the policy to attach it.
2. Select Next.

3. Give the role a name and a description, and select Create Role.

Your newly created role will appear in the list!

Step 4: Link to Braze AWS

1. In the AWS Console, find your newly created role in the list. Select the name to open up the details of that role, and take note of the ARN.

2. In Braze, go to Settings > Company Settings > Admin Settings > Security Settings and scroll to the Security Event Download section.

3. Make sure AWS role ARN is selected, then input your role ARN and AWS S3 bucket name in the designated fields.
4. Select Test Credentials to confirm your credentials work properly.
5. Select Save Changes.

You’ve integrated AWS S3 into your Braze account!