This guide explains how to export Cmd data to an S3 bucket. After setup, your bucket will receive one file containing Cmd data each minute, assuming there is data to export. Data is exported as zipped JSON.
Outline:
Configure an S3 bucket to receive data from Cmd
- Without an IaC tool
- With an IaC tool
- Using AWS KMSConfigure the Cmd web app to export to your bucket.
Configure an S3 bucket to receive Cmd data
Without an IaC tool
Create a new bucket following Amazon's guide.
Name the bucket
cmd-[mycompanyname]-shared. (Replace [mycompanyname] with your company's name.) For example:
Note: The 'us-west-1' region is preferable.
Configure the remaining settings as you wish. Create the bucket.
Go to the bucket's Permissions tab:
Scroll down to the Access Control List, and click Edit.
Click Add grantee.
Under Grantee, enter Cmd's canonical ID:
8d863b317735519f02c08cd534372f6ff3ddd39b571693c10a28ed6c49b0ba31Enable all permissions:
Click Save changes.
Important Notes:
Do not add other objects with the 'cmd_export/' key prefix to the bucket (i.e., don't put anything else in that directory). Doing so would impair data export to tools such as AWS Redshift.
We recommend configuring the lifecycle to delete incomplete multipart uploads after 1-2 days by following the instructions here (to help minimize storage costs).
With an IaC tool
If you created your AWS S3 bucket through an IaC tool like Terraform or CloudFormation, use the following policy document:
{
"Statement":[
{
"Effect":"Allow",
"Principal":{"AWS":"839441773943"},
"Action":"s3:PutObject",
"Resource":["arn:aws:s3:::[YOURBUCKETNAME]/*"]
},
{
"Effect":"Deny",
"Principal":{"AWS":"839441773943"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::[YOURBUCKETNAME]/*",
"Condition": {
"StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"}
}
}
]
}The above policy document provides Cmd with s3:PutObject permissions and provides the bucket owner full ownership of all objects, as described in Amazon's bucket policies documentation.
Important notes:
839441773943is the actual Account ID that Cmd uses for bucket sharing.You must replace
[YOURBUCKETNAME]with your AWS S3 bucket name.
After configuring your bucket, finish setup in the Cmd web app.
Using AWS KMS
If you're managing your bucket with KMS, you will need to grant Cmd access via an AWS KMS key with access to the bucket.
Go to AWS KMS, then Customer managed keys.
Click on a key that is authorized to the bucket where you want to receive Cmd data.
On the Key policy tab, scroll to the bottom.
Click Add other AWS accounts.
Enter Cmd's account ID:
839441773943.Copy your key's ARN. You will need to enter the ARN under "KMS ID" during setup in the Cmd web app:
Important: For added security, you can turn on default encryption for your bucket, with your KMS key as the encryption key. To do this:
Go to your S3 bucket, and open it's Properties tab:
Scroll down to 'Default encryption' and click Edit.
Select Enable, then SSE-KMS, then Enter KMS master key ARN:
Enter your key's ARN.
Click Save changes.
Go to the Cmd web app to complete setup:
Cmd web app setup
Log in to the Cmd web app.
Open the dropdown menu in the upper-right of the web app and go to Project & App settings.
Select Data export from the menu on the left.
Click Add export, then select Amazon S3.
Enter your bucket name (e.g. "cmd-data-export-test"), and specify its region.
If your bucket is secured with KMS, enter your key's ARN under KMS ID.
Click Next, and select the timezone to use for event timestamps, as well as which types of events to export.
Click Save. Your export should be up and running, and the data export screen should display your newly-configured export, e.g.:
