Background

Admins can configure Twingate to send audit logs to their AWS S3 buckets. Logs are sent every 5 minutes.

Configuring your S3 Bucket and permissions

Set up an AWS S3 Bucket

AWS S3 User Guide

Get an Access Key and Secret Access Key

• Open the AWS IAM console
• Go to Users
• Create a User who will have access to the S3 bucket
• Select the user who should have access
• Click Create Access Key
• Save the Access Key and Secret Access Key

Grant your AWS user access to the bucket

AWS S3 User Guide

• Make sure the user has s3:ListBucket and s3:PutObject listed in their policy

Configuring your AWS S3 sync in Twingate

1. Navigate to the Reports page under Settings

2. Click Sync to S3 Bucket to configure your sync

3. Enter your Bucket Name, Access Key ID, and Secret Access Key ID

4. The first synced data should arrive within the next 10 minutes.

Any subsequent audit log events will be synced to your S3 bucket every 5 minutes on an ongoing basis.

Troubleshooting

Why is my S3 sync failing?

If you’ve just configured your S3 sync and it immediately fails, you could be running into a configuration issue. Please check that your bucket name, access key, secret access key, and AWS user policies are correct. The AWS user trying to access the bucket should have s3:ListBucket and s3:PutObject policies.

What happens if there are no events to sync?

In the case that there are no events to sync, Twingate sends an empty file to the S3 bucket. This assures that the sync is still working without taking up storage space.

I just performed an action that should be reflected in my audit logs. Why am I not seeing it?

Events can take up to 10 minutes to be reflected in the audit log sync.