S3 Integration

New
  • Published on Dec 29, 2025
  • 4 minute(s) read
Prev Next

Amazon S3 is a fully managed object storage service for secure and reliable data storage. Traceable integrates with S3 to automatically export events to your S3 bucket. Using IAM and OIDC-based role assumption with short-lived, least-privilege credentials, this integration ensures secure, compliant, and scalable storage for analysis, SIEM integration, or long-term retention.

What will you learn in this topic?

By the end of this topic, you will be able to understand:

Need for an S3 Bucket

The Amazon S3 bucket stores events exported by Traceable, using AWS’s durable and highly available object storage. Traceable securely writes data to the bucket using AWS IAM and short-lived credentials, enabling reliable storage for analysis, SIEM integration, and long-term archiving within your AWS environment.

Before you begin

Make a note of the following points before you proceed with the configuration:

  • Ensure you have an AWS account.

  • Ensure you have a list of available AWS regions in which you wish to configure your S3 bucket. Each region has a specific role ARN, which is required for S3 webhook integration in the later stage. For more information, see AWS Regions.

  • Ensure you have the list of IAM roles you wish to configure.

Configure Amazon S3 for Event Delivery

You can follow the steps below to configure Amazon S3 and receive events from your account.

Step 1 — Create an S3 Bucket

  1. Create an S3 bucket in your preferred AWS region. For more information, see Getting Started with Amazon S3 Using the AWS CLI.

  2. Note the bucket name and region, as you will need them in later steps.

Step 2 — Add the OIDC Provider to Your AWS Account

To obtain the role ARN for S3 integration, you need to add an OpenID Connect (OIDC) provider in your AWS account using the <OIDC_PROVIDER_URL> of the Amazon EKS cluster. This <OIDC_PROVIDER_URL> establishes a trust relationship that allows AWS to trust Traceable running on Amazon EKS as an external identity provider and enables the Traceable SaaS cluster to securely assume IAM roles using short-lived credentials, without managing long-term AWS access keys.

Use the command below to add the <OIDC_PROVIDER_URL> to AWS IAM, allowing AWS to trust the identity provider and enable secure IAM role assumption:

aws iam create-open-id-connect-provider --url <OIDC_PROVIDER_URL> --client-id-list sts.amazonaws.com --thumbprint-list <thumbprint_value>

Note

Replace the <OIDC_PROVIDER_URL> and <thumbprint_value> placeholders with the actual values for the relevant Amazon EKS. To retrieve the actual values, contact your Traceable Account Executive.

Once you have created the OIDC provider, note the OIDC Provider ARN.

Step 3 — Create an IAM Policy for Bucket Access

You can create an IAM policy that allows the role to write events to the S3 bucket using the sample JSON policy below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:PutObjectLegalHold",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket_name>/*"
        }
    ]
}

Note

You can replace the above S3 <bucket_name> placeholder with your actual S3 bucket name.

The above JSON code returns the policy ARN that you can save for later use.

Step 4 — Create the IAM Role

After creating the S3 bucket, you can attach the policy to your bucket created in Step 3 above. You can set the trust relationship to link the role to the OIDC provider:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:<OIDC_PROVIDER_URL>" //The <AWS_ACCOUNT_ID> and <OIDC_PROVIDER_URL> are placeholders for the actual values.
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "<oidc_provider_url>:aud": "sts.amazonaws.com",
                    "<oidc_provider_url>:sub": "system:serviceaccount:traceable:*"  
                }
            }
        }
    ]
}

Note

  • To retrieve the actual <OIDC_PROVIDER_URL> value in the above script, contact your Traceable Account Executive.

  • To retrieve your <AWS_ACCOUNT_ID>, log in to your AWS account and navigate to the IAM Dashboard in the AWS account section. For more information, see View AWS Account ID.

To get the value for <OIDC_PROVIDER_URL>, remove the scheme (https://) from the OIDC provider URL. Make a note of the IAM Role ARN.

Example

  • Full URL — https://oidc.eks.us-east-1.amazonaws.com/id/11111111111111111111111111111111

  • Without scheme — oidc.eks.us-east-1.amazonaws.com/id/11111111111111111111111111111111

Step 5 — Configure the integration

To complete your configuration, navigate to Settings (traceable_icon_settings) → Configuration → Notifications page, and click Create channel. In the Create Channel window, enable the S3 webhook toggle, and complete the following steps:

  1. Specify the S3 bucket name.

  2. Select the AWS region in which your S3 bucket is configured. For more information, see Step 1 - Create an S3 bucket.

  3. Paste the IAM Role ARN created above in Step 4.

The following interactive demo walks you through the steps to navigate and integrate the configuration.