Bring Your Own Bucket for Log Management

Bring your own AWS bucket to Radiant Security and manage your logs using the new Log Management feature.

Overview

Easily query your raw data with our new log management and search functionality. There are two options for log management: one is to let us host the logs and the other is to bring your own bucket. To bring your own bucket, you must enable a configuration by completing the following steps:

Note: For proof of concept (POC) or testing purposes, we allow customers to offload log hosting to us. But, we expect all customers to eventually switch to using their own bucket once they’ve converted from POC.

Initialization

Once a configuration is chosen, it can no longer be updated. If it needs to be updated, all the data ingested up to that point will be dropped, as we will manually reset the configuration and start fresh. So for example, if a POC candidate starts out with having us host the logs instead of bringing their own bucket, then once they convert to a customer and bring their own bucket, all the existing data we host will be deleted. We can backfill data by re-ingesting from the tenant’s connectors, but it will require extra time.

Requirements for bringing your own bucket

Setting up a bring your own bucket configuration is simple, all you need is an AWS account. There are two things you must do to enable this configuration in AWS:

  1. Create a bucket in us-west-2.
  2. Add a following policy to us-west-2 bucket that allows our cross account role to manage the bucket.

After this has been completed, you’ll add your bucket configuration in Radiant Security. Before saving the configuration, we’ll check if the bucket is in the us-west-2 region and verify that we have correct permissions. If these verification steps pass, we allow the bucket to be saved. Otherwise, you’ll see an error letting you know that you bucket is not set up correctly. Once the bucket configuration is saved, your log data will immediately start being ingested.

Create an S3 bucket in AWS

  1. Sign in to your AWS Management Console.
  2. Then, navigate to the S3 Service by typing S3 in the search bar. Click S3 to open the S3 dashboard.
  3. Click the Create bucket button and configure the following:
    • Bucket name: Enter a unique bucket name (e.g., my-unique-bucket-name-us-west-2).
    • Region: Choose US West (Oregon) – us-west-2 from the region drop-down menu.
  4. Scroll to the bottom of the page and click Create bucket.

Add a bucket policy

  1. From the S3 dashboard, click on the bucket name you just created.
  2. Go to the Permissions tab within the bucket's dashboard.
  3. Add a bucket policy to allow our cross account role (configured as Principal in the JSON below) to manage the bucket.
    1. Scroll down to the Bucket policy section and click Edit.
    2. Copy the following bucket policy and replace the <s3_bucket_name> with the name of the bucket you created in the Create an S3 Bucket in AWS step:
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "RadiantSecurityIngestionFullAccess",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::649384204969:role/radiant_security_ingestion_role"
            },
            "Action": "s3:*",
            "Resource": [
              "arn:aws:s3:::<s3_bucket_name>",
              "arn:aws:s3:::<s3_bucket_name>/*"
            ]
          },
          {
            "Sid": "RadiantSecurityBYOBBackfillAccess",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::649384204969:role/logmanagement-customers-split-files-backfill-sa-role"
            },
            "Action": "s3:*",
            "Resource": [
              "arn:aws:s3:::<s3_bucket_name>",
              "arn:aws:s3:::<s3_bucket_name>/*"
            ]
          }
        ]
      }
    3. Paste the bucket policy in the text editor.
  4. Click Save changes to apply the policy.

Configure Log Management in Radiant Security

  1. Log in to Radiant Security.
  2. From the navigation menu, click Log Management.
  3. From Log Management, click + Add Credentials.
  4. In the side menu, paste the bucket name (not ARN) that you created in the Create an S3 Bucket in AWS step.
  5. Click Add credentials to save the bucket configuration.

Note: Before saving the configuration, Radiant Security checks whether you have the correct permissions and that the bucket is in the us-west-2 region. If these verification steps pass, we allow the bucket to be saved. Otherwise, you will see an error highlighting the incorrect configuration. 

We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

Last updated: 2025-06-17