Skip to main content

What are external data sources?

External data sources are S3 buckets and other file systems that C1 has the permissions to read and write. External data sources can be used for:
  • Pushing audit logs for offline storage
  • Pushing audit logs for consumption into your SIEM
  • Ingesting application data

Set up an S3 data source

This task requires the Super Administrator role in C1 and the ability to create an IAM Role in AWS.
C1 uses an IAM Trust relationship between your AWS Account and C1’s Service AWS Account for integrating to S3. This is the AWS-recommended method of sharing access to AWS Accounts. C1 has a specially created and isolated AWS Account dedicated to the AWS integration.

Step 1: Get a C1-provided External ID for the AWS IAM Role

1
Log into C1.
2
Navigate to Integrations > External data sources.
3
Click Add data source.
4
Choose who will own and manage this integration, then click Create and add details.
5
The S3 bucket integration form opens. Copy and save the External ID generated for you by C1. You’ll use this value in Step 2.

Step 2: Create an AWS IAM Role for C1

1
In a new browser tab, navigate to AWS and sign into your AWS account.
2
Navigate to the Identity and Access Management (IAM) dashboard.
3
Click Roles > Create Role.
4
Select Custom Trust Policy and paste the following code into the Trust Policy JSON editor, replacing <EXTERNAL ID FROM C1> with the value you saved in Step 1.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::765656841499:role/ConductorOneS3DatasourceService"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL ID FROM C1>"
        }
      }
    }
  ]
}
5
Click Next.
6
Do not make any changes on the Add permissions page. Click Next.
7
On the Name, review, and create page, in the Role Name field, enter C1Integration.
8
Optional. Add any tags relevant to your organization.
9
Click Create role.

Step 3: Assign policy to C1Integration AWS role

1
Back on the Roles page, click on the newly created C1Integration role to view the role’s details.
2
Under Permissions Policies, click Add Permissions and select Create Inline Policy.
3
Click the JSON Editor tab and paste in the following code:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAttributes",
        "s3:ListBucket", 
        "s3:GetBucketLocation", 
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET NAME>",
        "arn:aws:s3:::<BUCKET NAME>/*"
      ]
    }
  ]
}
If you plan to only use this s3 bucket for application data syncs and therefore need only be read only, you can safely omit "s3:PutObject" from the policy.
1
Click Review Policy.
2
In the Name field, enter C1Permissions.
3
Click Create policy.
4
Copy and save the Role ARN for the newly created policy. The Role ARN is formed as arn:aws:iam::<UNIQUE STRING>:role/ConductorOneIntegration. You’ll use this value in Step 4.
Detail view of the C1Integration role, with the Role ARN copy function shown displaying ARN Copied.

Step 4: Configure the external data source in C1

1
Return to the C1 Integrations > External data sources page if necessary and navigate to your newly created external data source.
2
Paste the Role ARN you generated in Step 2 into the Role ARN field.
3
Enter the name of the S3 bucket that contains the files you want to use in C1 in the S3 bucket field.
4
Click Save.