Exporting Logs to AWS S3 Bucket

Forcepoint ONE SSE provides an option to export logs specific to your tenant from the Forcepoint ONE SSE data lake onto your own AWS S3 bucket using Amazon S3 Access points. The customer logs are replaced every month.

Note: You can export logs starting from June 01, 2024 onwards.

Amazon S3 Access Points are unique hostnames that data owners (in this case, Forcepoint) create to enforce distinct permissions and network controls for any request made through access points. To understand Amazon S3 Access Points in detail, refer to Amazon S3 Access Points.

To create Access Point, you need to only provide your AWS Account ID used to access the access point. The access policy will be set only to allow viewing of the logs.

Note: Forcepoint ONE SSE does not impose any (rate or user session) limitations while accessing logs data in Amazon AWS S3. However, Amazon AWS S3 may impose rate and user session limitations.

To delete Access Point for your tenant, contact Forcepoint Customer Support.

Creating Access Point

Follow the steps below to create access point in Forcepoint ONE SSE:

  1. On Forcepoint ONE SSE, navigate to the Analyze > Logs > Settings page.
  2. Under the Logs section, select the Create Access point on AWS to read logs checkbox to create Access point.

    By default, the Create Access point on AWS to read logs checkbox is unselected.

  3. In Customer AWS Account ID, enter your AWS account ID, to which you want to export logs.


  4. To create an access point in Forcepoint ONE SSE data lake for entered Customer AWS Account ID, click Save.
  5. On clicking Save, if access point is created successfully, the following fields appear under the Customer Access Point section which are needed while configuring your AWS account:


    • Access Point Name - Displays name of the access point.
    • FONE AWS Account ID - Displays the Forcepoint ONE SSE' AWS Account ID.
    • Customer AWS Account ID - Displays your AWS Account ID that you have entered.
    • Access Point URI - Displays access point URI, using which you can access logs from the Forcepoint ONE SSE AWS S3 bucket.
    • Access Point ARN - Displays the access point ARN.

Configuring your AWS Account

After creating Access Point for your AWS account in Forcepoint ONE SSE, follow the steps below to setup your AWS account using the information from Forcepoint ONE SSE to export your tenant logs to your own AWS S3 bucket:

  1. Login to your Amazon AWS account as admin.
  2. Assign the following IAM permission to user in order to grant the access to the access point created under the Customer Access Point section in Forcepoint ONE SSE.

    Sample of the permission policy to grant access to access point:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

Downloading tenant logs

Note: You can download tenant logs only via --request-payer option.

Once Admin have assigned the above permission policy to IAM user, the IAM User will be able to download tenant logs via AWS CLI or CloudShell using their specific access point URI using the following command:

aws s3 cp <access-point-uri>/<any-prefix>/ . --recursive --request-payer

You can use the following command to view objects/folders:

aws s3 ls <access-point-uri>/<any-prefix>/ --request-payer

Replace the <access-point-uri> with the Access Point URI from the Customer Access Point section on Forcepoint ONE SSE.