1). Created Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81",
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
]
}
]
}
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81",
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
]
}
]
}
2). Created IAM Group with the policy from #1
3). Create IAM User that belongs to the group from #2
4). Pull API Access Key and Secret Key from the user created in step #3
5). Modify the CloudTrail S3 bucket to add this policy
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::715178913691:user/Rapid7"
},
"Action": "s3:List*",
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81",
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::715178913691:user/Rapid7"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
}
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::715178913691:user/Rapid7"
},
"Action": "s3:List*",
"Resource": [
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81",
"arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::715178913691:user/Rapid7"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-cloudtrail-logs-715178913690-6df5db81/*"
}
6). Plug this into Rapid 7
https://docs.rapid7.com/insightidr/aws-cloudtrail-api/