Send Audits to Amazon SNS in a Self-Managed AWS Deployment¶
In a self-managed AWS deployment, Audit Server can publish PolicySync audits to an Amazon SNS topic by using the AWS SDK. Audit Server uses your AWS credentials — for example, an IAM role on the cluster — to authenticate and publish messages.
Amazon SNS supports fan-out delivery, which lets multiple subscribers receive the same audit stream. To route a subset of events to a queue, see Subscribe an SQS Queue with a Filter Policy.
For audits written to object storage through Audit Fluentd, see Send Audits to S3. To send the same connector audit stream to Solr, Audit Fluentd, Amazon SQS, and Amazon SNS together, see Connector audit output destinations.
This procedure applies to self-managed deployments only. For PrivaceraCloud, contact your Privacera representative.
Note
- SNS is configured on Audit Server, not Audit Fluentd.
- On EKS, see IAM for Audit Server on Amazon EKS (IRSA).
- Audit Server promotes
eventTypeto an SNS message attribute so subscribers can filter on it. Events without a non-emptyeventTypeare not published. - FIFO topics (an ARN ending in
.fifo) are detected automatically. For FIFO topics, the message group is the tenant id and the deduplication id is derived from the message body.
Collections Supported for SNS¶
| Audit stream | Audit collection | SNS on Audit Server |
|---|---|---|
| PolicySync audits | policysync_audit | Supported. Complete the Setup section in this guide. |
Prerequisites¶
| Requirement | Notes |
|---|---|
| Traffic | policysync_audit events from connectors (including grant and revoke actions executed by a connector). |
| Topic | Standard or FIFO topic ARN and matching region. |
| IAM | sns:Publish on the Audit Server identity (plus sns:GetTopicAttributes and sns:ListSubscriptionsByTopic if you inspect the topic from the pod). See IAM for Audit Server on Amazon EKS (IRSA). |
| Handler V2 | Connector audit handler V2 must be on. Set AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED to true as described in Connector audit output destinations. |
Setup¶
To publish PolicySync audits to Amazon SNS, follow these steps.
- Sign in to the host where Privacera Manager is installed.
- Open the Manager configuration directory:
Bash - Copy the Audit Server sample variables into
custom-varsif you have not already. The-nflag avoids overwriting an existing file.Bash - Edit the Audit Server custom variables file:
Bash - Turn on connector audit handler V2 and set the destination list as described in Connector audit output destinations. When Amazon SNS is enabled for this stream, the destination list must include
sns(Privacera Manager does not add it automatically). -
In the same file, set the Amazon SNS properties:
Property Purpose AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_ENABLEDSet to trueto publish PolicySync audits to your topic.AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_TOPIC_ARNFull ARN of the SNS topic. A FIFO topic ARN ends in .fifo.AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_REGIONAWS Region of the topic (for example us-east-1).AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SUBJECTOptional static subject line attached to every message. Ignored by FIFO topics. AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_NAMESComma-separated destinations; include snswhen SNS is on (for examplesolr,sns). See Connector audit output destinations forsolr,fluentd,sqs, andsns.If Amazon SNS delivery fails temporarily, Audit Server can spool messages and retry. In the same file, optional SNS spool settings are:
Property Purpose AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SPOOL_ENABLEDSet to trueto write failed SNS sends to the SNS spool under the shared PolicySync spool base directory.AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SPOOL_DRAIN_INTERVAL_SECONDSHow often the SNS spool is drained and retried, in seconds. The base directory and drain interval shared by Solr, SQS, SNS, and Fluentd for connector audits are described in Connector audit output destinations.
-
Apply the configuration with Privacera Manager, then restart Audit Server.
Example¶
Solr plus one SNS topic (replace the topic ARN, account id, and region):
Subscribe an SQS Queue with a Filter Policy¶
Because Audit Server promotes eventType to an SNS message attribute, a subscriber can use a subscription filter policy to receive only selected event types. The following example subscribes an Amazon SQS queue to the topic and delivers only POLICY_RESPONSE and LOADER events.
-
Subscribe the queue to the topic. Use the SQS protocol and set the endpoint to the queue ARN.
Subscription field Value Topic ARN arn:aws:sns:us-east-1:<AWS_ACCOUNT_ID>:privacera-policysync-auditProtocol SQSEndpoint arn:aws:sqs:us-east-1:<AWS_ACCOUNT_ID>:<AUDIT_QUEUE_NAME>Raw message delivery Enabled -
Set the subscription filter policy with the filter policy scope set to Message attributes:
-
Confirm the subscription status is Confirmed.
A subscriber with no filter policy receives every published event. Add a filter policy on eventType only when a subscriber needs a subset of the stream.
Validation¶
- Generate
policysync_audittraffic. - Confirm that new messages appear on the topic's subscribers — for example, an SQS queue subscribed to the topic.
- If Solr is included in your destinations list, confirm records appear in Solr.
- In your Audit Server dashboard (for example, Grafana), confirm that SNS-related metrics are incrementing with traffic.
- If delivery failures occur, check the
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_SPOOL_BASE_DIRdirectory and Audit Server logs. Events dropped because they had noeventTypeare logged with a warning and counted as failed.