Amazon Web Services (AWS) - Send JSON to S3
  • 14 May 2023
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Amazon Web Services (AWS) - Send JSON to S3

  • Dark
    Light
  • PDF

Article Summary

Amazon Web Services (AWS) - Send JSON to S3 takes the saved query supplied as a trigger (or assets that have been selected in the asset table), creates a JSON file, and sends it to a specific Amazon Simple Storage Service (Amazon S3) bucket.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

General Settings

  • Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
  • Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
  • Run action on assets matching following query (required) - Select an asset category and a query. The Enforcement Action will be run on the assets that match the query parameters.
  • Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Connection Settings

Click to view Connection Settings
  1. Use stored credentials from the AWS adapter (required, default: False) -
    • If enabled, Axonius will use the AWS adapter connection credentials that match the specified AWS Access Key ID to determine the IAM user/role to be used to send a JSON file to an S3 bucket.
    • If disabled:
      • If Use attached IAM role is enabled, Axonius will use the EC2 instance (Axonius installed on) attached IAM user/role to send a JSON file to an S3 bucket.
      • Else, it will use the IAM user/role associated with the specified IAM Access Key ID and IAM Access Key Secret to send a JSON file to an S3 bucket.
    NOTE
    To use this option, you must successfully configure an AWS adapter connection.
  2. AWS Access Key ID (required, default: empty) - Specify the AWS Access Key ID to access the Amazon S3 bucket.
  3. AWS Secret Access Key (optional, default: empty) - Specify the AWS Secret Access Key for the specified AWS Access Key ID.
    • If supplied (and both Use stored credentials from the AWS adapter and Use attached IAM role are disabled), Axonius uses the account user credentials to send a JSON file to an S3 bucket.
    • If not supplied (and both Use stored credentials from the AWS adapter and Use attached IAM role are disabled), Axonius will fail any execution of this action.
  4. Use attached IAM role (required, default: False)
    • If enabled (and Use stored credentials from the AWS adapter is disabled), Axonius will use the EC2 instance (Axonius installed on) attached IAM to be used to send a JSON file to an S3 bucket.
    • If disabled (and Use stored credentials from the AWS adapter is disabled), Axonius will use the supplied account details in the IAM Access Key ID and IAM Access Key Secret to send a JSON file to an S3 bucket.
    NOTE

    This option will be ignored if Use stored credentials from the AWS adapter is enabled.

  5. AWS region (optional, default: us-east-1) - Specify the region name the Amazon S3 located.
    • If supplied, PutObject operation will be done on the supplied Amazon S3 details in the supplied region.
    • If not supplied, PutObject operation will be done on the supplied Amazon S3 details in 'us-east-1'.
    NOTE

    This option will be ignored if Use stored credentials from the AWS adapter is enabled.

  6. HTTPS proxy (optional, default: empty) - A proxy to use when connecting to the AWS APIs.
    • If supplied, Axonius will utilize the proxy when connecting to the Amazon S3 bucket.
    • If not supplied, Axonius will connect directly to the Amazon S3 bucket.

Action Settings

Click to view Action Settings
  1. Amazon S3 bucket name (required, default: empty) - Specify the Amazon S3 bucket name for which the file will be sent.
    For creating, configuring, and access Amazon S3 buckets, see see Configuring an S3 Bucket to use with Axonius.
  2. Amazon S3 object location (key) (optional, default: empty) - Specify the S3 object key to store a JSON file that contains the entities derived from the saved query supplied as a trigger (or entities that have been selected in the asset table).
    • If supplied, the JSON file path and name will be stored in the specified object key. For example, if reports/axonius is specified, the file path and name will be reports/axonius.json.
    • If not supplied, the JSON file will be stored as axonius_enforcement_center_data.json.
  3. Append date and time to file name (required, default: False)
    • If enabled, the date and time (in UTC) of enforcement action execution will be added as a suffix to the generated JSON file name. For example, axonius_2020-01-06-16:48:13.json.
    • If disabled, the JSON file will be stored based on the specified/default object key.
  4. Override file if exists (required, default: False) - choose to store the generated JSON file even if a JSON file with the same name already exists.
    • If enabled, the generated JSON file will be stored even if a JSON file with the exact name already exists.
    • If disabled, the generated JSON file will be not be stored if a JSON file with the exact name already exists. As a result, the Enforcement action will fail.
  5. Always export aggregated fields as arrays - Select this option to always represent aggregated fields as arrays in the JSON file that is created.

Required Permissions

Click to view Required Permissions

The values supplied in AWS Access Key ID and AWS Access Key Secret or the EC2 instance (Axonius installed on) attached IAM role account must have the following permissions:

  • s3:PutObject
  • s3:GetObject
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • s3:PutObjectTagging
  • s3:DeleteObject
  • s3:HeadBucket

If the target S3 bucket is encrypted with a KMS key: then the kms:GenerateDataKey permission is also required.

Those permissions must be added to a policy attached to relevant IAM user account.


For details on creating an IAM user and attaching policies, see Connecting the Amazon Web Services (AWS) Adapter.


For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.