Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Update and document AWS S3 Connector CloudFormation templates

Open srgoni opened this issue 1 month ago • 3 comments

Is your feature request related to a problem? Please describe. The documentation for integrating AWS logs into Sentinel only mentions usage of the PowerShell scripts and a manual setup procedure. There are some CloudFormation templates in the repository in https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/AWS-S3/CloudFormation , but they are incomplete and not documented.

In particular, the template https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudFormation/cloudformationtemplateforAWSS3.txt doesn't use the OIDC provider deployed by https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudFormation/OIDCWebIdProvider.json .

Describe the solution you'd like Please provide updated CloudFormation and/or Terraform templates for the AWS S3 Data Connector, document their usage properly and maintain them as first-class citizens in the repository.

It's really not commonplace that AWS infrastructure is deployed ad-hoc with PowerShell scripts. Terraform and CloudFormation are the dominant tools on this platform, and AWS infrastructure engineers typically do not use PowerShell for scripting. Furthermore, ad-hoc deployments are a very bad practice, especially when other infrastructure is already managed with proper IaC tooling.

Describe alternatives you've considered The CloudFormation template can be adapted without too much effort, but the documentation for manual integration is incomplete and doesn't properly describe which permissions are actually required. This leads to a lot of trial-and-error - or figuring out what the overly complicated PowerShell scripts actually do.

Additional context In #4398 , some CloudFormation templates were requested and delivered, but they were not kept up to date, and they're not even mentioned in the documentation or the README.

srgoni avatar Nov 24 '25 10:11 srgoni

Hello @srgoni, thanks for flagging this issue. We will investigate this issue and get back to you with some updates. Thanks!

v-utpalkumar avatar Nov 24 '25 18:11 v-utpalkumar

I was thinking it was just me but this particular data connector in Sentinel Hub and packages needs lot of work. As OP mentioned I'm facing simliar issues and none of this make sense. Geez louise pulling my hair out trying to figure this out.

piExpr avatar Dec 05 '25 21:12 piExpr

AWS also provides guidance, including a CloudFormation template based on the recommended integration method: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ingest-analyze-aws-security-logs-sentinel.html

I think it's easier to understand and follow.

srgoni avatar Dec 08 '25 08:12 srgoni