You must use SFTP (SSH File Transfer Protocol) and a valid public key in order to retrieve data from your Amazon S3 bucket. Currently Amazon Web Services supports the following SFTP clients:
- OpenSSH (Macintosh and Linux)
- WinSCP (Microsoft Windows-only)
- Cyberduck (Windows, Macintosh, and Linux)
- FileZilla (Windows, Macintosh, and Linux)
Note that SFTP is the only way to access the S3 bucket.
Note. We should also mention that Amazon’s SFTP Transfer service is not yet available in the China AWS region (although the service is expected soon).
If your organization needs to set up an allow list for data retrieval -- that is, if you need to limit data retrieval to a specific set of IP addresses -- Akamai has configured a pair of static IP addresses for each Identity Cloud region:
|Region||DNS Entry||IP Address 1||IP Address 2|
|North America (Virginia)||22.214.171.124||126.96.36.199|
|North America (Canada)||http://eventdelivery.multi.prod.cc.janrain.com||188.8.131.52||184.108.40.206|
|South America (Sao Paulo)||http://eventdelivery.multi.prod.sp.janrain.com||220.127.116.11||18.104.22.168|
For example, in the US your allow list for SIEM data retrieval would include these two IP addresses:
When SIEM Event Delivery is activated, you’ll get back an API response similar to the following:
The uri and the user fields are especially important: that’s the information needed to access your S3 bucket. As noted elsewhere, each organization is given a single user account (the user field), with the username composed of user_ followed by your application ID (for example, user_htb8fuhxnf8e38jrzub3c7pfrr). All users who access the S3 bucket must log on using this same username (as well as an SSH key associated with the S3 bucket).
Meanwhile, the uri field specifies the URL for your S3 bucket. In the preceding example, that URL is sftp://firstname.lastname@example.org.
The exact steps required to access your S3 bucket depend on which SFTP client you use. For example, if you use Cyberduck you’ll need to follow a procedure similar to this:
- Start Cyberduck and then click Open Connection:
- In the dropdown dialog, set the protocol to SFTP (SSH File Transfer Protocol):
- Type the URL to your Amazon S3 bucket (for example, sftp://email@example.com) in the Server field and the port number for the S3 bucket in the Port field:
- Enter your S3 bucket username (e.g., user_htb8fuhxnf8e38jrzub3c7pfrr) in the Username field. Leave thePassword field blank:
- Click SSH Private Key and then select the private key you are using for S3 access. Keep in mind that the corresponding public key must have already been associated with the S3 bucket:
- When you are finished, click Connect:
After the connection is made, your SIEM event files will appear in the Cyberduck window.
To download a file, right click the file name and then click either:
- Download (to download the file directly to your Downloads folder).
- Download As (which enables you to specify a different file name and/or download location).
- Download To (which lets you change the download location but not the file name).
To remove a file from the S3 bucket, right-click the file name and then click Delete.