InsightIDR S3 Archiving allows you to utilize the storage capabilities of Amazon Web Services’ S3 storage to retain a copy of your InsightIDR search data under your own control.
After you configure this feature, S3 Archiving sends all new InsightIDR search data to an AWS S3 Bucket according to your specifications. Once a day, the bucket receives all of the data from the previous day. The first day of data will be delivered approximately 24 hours after set up. The exported data will be in the same format as it appears in the Log Search interface, so it will be parsed and attributed where applicable.
To use an S3 bucket and archive your data from InsightIDR:
Configure an AWS S3 Bucket
In your AWS Account, identify the S3 bucket you want to use to store InsightIDR data. To create an S3 bucket, follow the directions here: https://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html
To configure the S3 bucket to grant permissions to InsightIDR:
- Log on to your AWS Account.
- In the top left corner, select Services > Storage > S3.
- Click the + Create Bucket link to create a new bucket, or select the All Buckets view and search for the existing S3 bucket you want to use.
- Select the Permissions tab and then select the Access Control List button.
- Select the Add Account button and paste the following account ID:
- This is the Insight platform AWS account that delivers data to the S3 bucket.
After entering the account, AWS may shorten this account name to “archive.”
- Grant the following permissions for the account:
- List Objects
- Write Objects
- Read bucket permissions
- Write bucket permissions
- Click the Save button.
Configure S3 Archiving in InsightIDR
After you configure permissions in the S3 bucket to receive data from InsightIDR, you must configure InsightIDR to archive data to the bucket. To enable data archiving:
- Sign in to InsightIDR.
- Select the Settings page on the left hand menu.
- Select the S3 Archiving option at the bottom of the list.
- Toggle on the Enable S3 Archiving setting.
- Enter the exact name of the S3 bucket that you created on your AWS account to store your InsightIDR archived log data.
- Click the Save button.
If InsightIDR can verify your settings, a success banner will display.
If the verification process to add this account fails, please contact Rapid7 Support to have the bucket added manually to the account.
Here are the supported regions for S3 Archiving: