search
Go to websiteTrust Center

Bring your own bucket for Log Management with Terraform

Bring your own AWS bucket to Radiant Security and manage your logs using the new Log Management feature.

In this guide, you will use this Terraform configuration to automate the creation of a secure S3 bucket for Radiant Security Log Management. This setup applies the required cross-account IAM roles for both log ingestion and data backfilling.

hashtag
Prerequisites

hashtag
Create a Terraform Project

This module uses a map to automatically select the correct Radiant Security AWS Account ID based on your tenant's region.

  1. Copy the following HCL code into your Terraform project (e.g., radiant_logs.tf).

  2. Replace the variables in the locals block with your specific details.

variable "radiant_region" {
  type        = string
  description = "The region of your Radiant Security tenant. Options: 'us-west-2' or 'eu-central-1'"
  validation {
    condition     = contains(["us-west-2", "eu-central-1"], var.radiant_region)
    error_message = "Radiant Security currently supports 'us-west-2' (Oregon) or 'eu-central-1' (Frankfurt)."
  }
}

variable "bucket_name" {
  type        = string
  description = "The name of the S3 bucket to be created for Radiant logs."
}

locals {
  # Map of Radiant Security Account IDs per region
  radiant_accounts = {
    "us-west-2"      = "649384204969"
    "eu-central-1"   = "076657324990"
  }
  radiant_account_id = local.radiant_accounts[var.radiant_region]
}

# --- S3 Bucket Resource ---
resource "aws_s3_bucket" "radiant_logs" {
  bucket = var.bucket_name
}

# Enable Default Encryption (SSE-S3)
resource "aws_s3_bucket_server_side_encryption_configuration" "radiant_logs_encryption" {
  bucket = aws_s3_bucket.radiant_logs.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
    bucket_key_enabled = false
  }
}

# --- Bucket Access Policy ---
resource "aws_s3_bucket_policy" "radiant_access" {
  bucket = aws_s3_bucket.radiant_logs.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "RadiantSecurityIngestionFullAccess"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${local.radiant_account_id}:role/radiant_security_ingestion_role"
        }
        Action   = "s3:*"
        Resource = [
          aws_s3_bucket.radiant_logs.arn,
          "${aws_s3_bucket.radiant_logs.arn}/*"
        ]
      },
      {
        Sid    = "RadiantSecurityBYOBBackfillAccess"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${local.radiant_account_id}:role/logmanagement-customers-split-files-backfill-sa-role"
        }
        Action   = "s3:*"
        Resource = [
          aws_s3_bucket.radiant_logs.arn,
          "${aws_s3_bucket.radiant_logs.arn}/*"
        ]
      }
    ]
  })
}

hashtag
Deployment Steps

hashtag
Option A: Passing variables via command line

If you want to run this quickly without a tfvars file:

hashtag
Option B: Using a tfvars file

Create a file named terraform.tfvars and add:

hashtag
Configure Log Management in Radiant Security

Once the Terraform apply is successful:

  1. Log in to Radiant Securityarrow-up-right.

  2. From the navigation menu, click Log Management.

  3. From Log Management, click + Add Credentials.

  4. In the side menu, paste the bucket name (not ARN) that you created in the Create an S3 Bucket in AWS section.

  5. Click Add credentials to save the bucket configuration.

PreviousBring your own bucket for Log ManagementNextCraft search queries in Log Management

Last updated