Amazon S3¶

You can set up Wallarm to send files with the information about detected hits to your Amazon S3 bucket. Information will be sent in the files of JSON format each 10 minutes.

Data fields for each hit:

time - date and time of hit detection in the Unix Timestamp format
request_id
ip - attacker's IP
Hit source type: datacenter, tor, remote_country
application_id
domain
method
uri
protocol
status_code
attack_type
block_status
payload
point
tags

Files will be saved to your S3 bucket using the naming convention wallarm_hits_{timestamp}.json or wallarm_hits_{timestamp}.jsonl. The format, either JSON Array or New Line Delimited JSON (NDJSON), will depend on your choice during integration setup.

Setting up integration¶

When setting up the integration with Amazon S3, you need to decide which method of authorization you will use:

Via role ARN (recommended) - using roles with external ID option to grant access to resources is recommended by AWS as method increasing the security and preventing "confused deputy" attacks. Wallarm provides such ID unique for your organization account.
Via secret access key - more common, simpler method, requiring shared access key of your AWS IAM user. If you select this method, it is recommended to use access key of a separate IAM user with only permission of writing to the S3 bucket used in integration.

To set up an Amazon S3 integration:

Create an Amazon S3 bucket for Wallarm following the instructions.
Perform different steps depending on selected authorization method.
Role ARNSecret access key
1. In AWS UI, navigate to S3 → your bucket → Properties tab and copy the code of your bucket's AWS Region and Amazon Resource Name (ARN).
  
  For example, us-west-1 as a region and arn:aws:s3:::test-bucket-json as ARN.
2. In the Wallarm Console UI, open the Integrations section.
3. Click the AWS S3 block or click the Add integration button and choose AWS S3.
4. Enter an integration name.
5. Enter the previously copied AWS region code of your S3 bucket.
6. Enter your S3 bucket name.
7. Copy provided Wallarm account ID.
8. Copy provided external ID.
9. In AWS UI, initiate creation new role under IAM → Access Management → Roles.
10. Select AWS account → Another AWS Account as trusted entity type.
11. Paste Wallarm Account ID.
12. Select Require external ID and paste external ID provided by Wallarm.
13. Click Next and create policy for you role:
  
  { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "<YOUR_S3_BUCKET_ARN>/*" } ] }
14. Complete role creation and copy role's ARN.
15. In the Wallarm Console UI, your integration creation dialog, at the Role ARN tab, paste your role's ARN.
1. In AWS UI, navigate to S3 → your bucket → Properties tab and copy the code of your bucket's AWS Region, for example us-west-1.
2. Navigate to IAM → Dashboard → Manage access keys → Access keys section.
3. Get ID of access key that you store somewhere or create new/restore lost key as described here. Anyway, you will need your active key and its ID.
4. In the Wallarm Console UI, Open the Integrations section.
5. Click the AWS S3 block or click the Add integration button and choose AWS S3.
6. Enter an integration name.
7. Enter the previously copied AWS region code of your S3 bucket.
8. Enter your S3 bucket name.
9. At the Secret access key tab, enter access key ID and the key itself.
Select the format for Wallarm data: either a JSON Array or a New Line Delimited JSON (NDJSON).
Make sure in the Regular notifications section, hits in the last 10 minutes are selected to be sent. If not chosen, data will not be sent to S3 bucket.
Test the integration and make sure the settings are correct.
Click Add integration.

To control the amount of stored data, it is recommended to set up an automatic deletion of old objects from your Amazon S3 bucket as described here.

Testing integration¶

Integration testing allows checking configuration correctness, availability of the Wallarm Cloud, and the sent data format. To test the integration, you can use the Test integration when creating or editing the integration.

For Amazon S3, integration test sends the JSON file with data into your bucket. Here is the example of the JSON file with the data on hits detected in the last 10 minutes:

JSON ArrayNew Line Delimited JSON (NDJSON)

[
{
    "time":"1687241470",
    "request_id":"d2a900a6efac7a7c893a00903205071a",
    "ip":"127.0.0.1",
    "datacenter":"unknown",
    "tor":"none",
    "remote_country":null,
    "application_id":[
        -1
    ],
    "domain":"localhost",
    "method":"GET",
    "uri":"/etc/passwd",
    "protocol":"none",
    "status_code":499,
    "attack_type":"ptrav",
    "block_status":"monitored",
    "payload":[
        "/etc/passwd"
    ],
    "point":[
        "uri"
    ],
    "tags":{
        "lom_id":7,
        "libproton_version":"4.4.11",
        "brute_counter":"c188cd2baa2cefb3f3688cb4008a649e",
        "wallarm_mode":"monitoring",
        "final_wallarm_mode":"monitoring"
    }
},
{
    "time":"1687241475",
    "request_id":"b457fccec9c66cdb07eab7228b34eca6",
    "ip":"127.0.0.1",
    "datacenter":"unknown",
    "tor":"none",
    "remote_country":null,
    "application_id":[
        -1
    ],
    "domain":"localhost",
    "method":"GET",
    "uri":"/etc/passwd",
    "protocol":"none",
    "status_code":499,
    "attack_type":"ptrav",
    "block_status":"monitored",
    "payload":[
        "/etc/passwd"
    ],
    "point":[
        "uri"
    ],
    "tags":{
        "lom_id":7,
        "libproton_version":"4.4.11",
        "brute_counter":"c188cd2baa2cefb3f3688cb4008a649e",
        "wallarm_mode":"monitoring",
        "final_wallarm_mode":"monitoring"
    }
}
]

{"time":"1687241470","request_id":"d2a900a6efac7a7c893a00903205071a","ip":"127.0.0.1","datacenter":"unknown","tor":"none","remote_country":null,"application_id":[-1],"domain":"localhost","method":"GET","uri":"/etc/passwd","protocol":"none","status_code":499,"attack_type":"ptrav","block_status":"monitored","payload":["/etc/passwd"],"point":["uri"],"tags":{"lom_id":7,"libproton_version":"4.4.11","brute_counter":"c188cd2baa2cefb3f3688cb4008a649e","wallarm_mode":"monitoring","final_wallarm_mode":"monitoring"}}
{"time":"1687241475","request_id":"b457fccec9c66cdb07eab7228b34eca6","ip":"127.0.0.1","datacenter":"unknown","tor":"none","remote_country":null,"application_id":[-1],"domain":"localhost","method":"GET","uri":"/etc/passwd","protocol":"none","status_code":499,"attack_type":"ptrav","block_status":"monitored","payload":["/etc/passwd"],"point":["uri"],"tags":{"lom_id":7,"libproton_version":"4.4.11","brute_counter":"c188cd2baa2cefb3f3688cb4008a649e","wallarm_mode":"monitoring","final_wallarm_mode":"monitoring"}}

Updating integration¶

To update the settings of active integration:

Go to Wallarm Console → Integrations in the US or EU Cloud.
Open an active integration.
Make required changes and click Save.

Disabling integration¶

To stop sending reports and notifications temporarily, you can disable the integration:

Go to Wallarm Console → Integrations in the US or EU Cloud.
Open an active integration and click Disable.

To re-enable sending reports and notifications, open the disabled integration and click Enable.

Disabling the integration is the system event. If you receive system notifications, messages about disabled integration will be sent to the configured system.

Deleting integration¶

To stop sending reports and notifications permanently, you can delete the integration. Deleting an integration cannot be undone. The integration will be removed from the list permanently.

Go to Wallarm Console → Integrations in the US or EU Cloud.
Open integration and click Delete.
Confirm the action.

Deleting the integration is the system event. If you receive system notifications, messages about deleted integration will be sent to the configured system.