Skip to content

Send Audits to Amazon SNS in a Self-Managed AWS Deployment

In a self-managed AWS deployment, Audit Server can publish PolicySync audits to an Amazon SNS topic by using the AWS SDK. Audit Server uses your AWS credentials — for example, an IAM role on the cluster — to authenticate and publish messages.

Amazon SNS supports fan-out delivery, which lets multiple subscribers receive the same audit stream. To route a subset of events to a queue, see Subscribe an SQS Queue with a Filter Policy.

For audits written to object storage through Audit Fluentd, see Send Audits to S3. To send the same connector audit stream to Solr, Audit Fluentd, Amazon SQS, and Amazon SNS together, see Connector audit output destinations.

This procedure applies to self-managed deployments only. For PrivaceraCloud, contact your Privacera representative.

Note

  • SNS is configured on Audit Server, not Audit Fluentd.
  • On EKS, see IAM for Audit Server on Amazon EKS (IRSA).
  • Audit Server promotes eventType to an SNS message attribute so subscribers can filter on it. Events without a non-empty eventType are not published.
  • FIFO topics (an ARN ending in .fifo) are detected automatically. For FIFO topics, the message group is the tenant id and the deduplication id is derived from the message body.

Collections Supported for SNS

Audit stream Audit collection SNS on Audit Server
PolicySync audits policysync_audit Supported. Complete the Setup section in this guide.

Prerequisites

Requirement Notes
Traffic policysync_audit events from connectors (including grant and revoke actions executed by a connector).
Topic Standard or FIFO topic ARN and matching region.
IAM sns:Publish on the Audit Server identity (plus sns:GetTopicAttributes and sns:ListSubscriptionsByTopic if you inspect the topic from the pod). See IAM for Audit Server on Amazon EKS (IRSA).
Handler V2 Connector audit handler V2 must be on. Set AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED to true as described in Connector audit output destinations.

Setup

To publish PolicySync audits to Amazon SNS, follow these steps.

  1. Sign in to the host where Privacera Manager is installed.
  2. Open the Manager configuration directory:
    Bash
    cd ~/privacera/privacera-manager/config
    
  3. Copy the Audit Server sample variables into custom-vars if you have not already. The -n flag avoids overwriting an existing file.
    Bash
    cp -n sample-vars/vars.auditserver.yml custom-vars/
    
  4. Edit the Audit Server custom variables file:
    Bash
    vi custom-vars/vars.auditserver.yml
    
  5. Turn on connector audit handler V2 and set the destination list as described in Connector audit output destinations. When Amazon SNS is enabled for this stream, the destination list must include sns (Privacera Manager does not add it automatically).
  6. In the same file, set the Amazon SNS properties:

    Property Purpose
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_ENABLED Set to true to publish PolicySync audits to your topic.
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_TOPIC_ARN Full ARN of the SNS topic. A FIFO topic ARN ends in .fifo.
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_REGION AWS Region of the topic (for example us-east-1).
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SUBJECT Optional static subject line attached to every message. Ignored by FIFO topics.
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_NAMES Comma-separated destinations; include sns when SNS is on (for example solr,sns). See Connector audit output destinations for solr, fluentd, sqs, and sns.

    If Amazon SNS delivery fails temporarily, Audit Server can spool messages and retry. In the same file, optional SNS spool settings are:

    Property Purpose
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SPOOL_ENABLED Set to true to write failed SNS sends to the SNS spool under the shared PolicySync spool base directory.
    AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_SPOOL_DRAIN_INTERVAL_SECONDS How often the SNS spool is drained and retried, in seconds.

    The base directory and drain interval shared by Solr, SQS, SNS, and Fluentd for connector audits are described in Connector audit output destinations.

  7. Apply the configuration with Privacera Manager, then restart Audit Server.

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade 

Example

Solr plus one SNS topic (replace the topic ARN, account id, and region):

YAML
1
2
3
4
5
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_NAMES: "solr,sns"
AUDITSERVER_POLICYSYNC_AUDIT_HANDLER_V2_ENABLED: "true"
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_ENABLED: "true"
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_TOPIC_ARN: "arn:aws:sns:us-east-1:<AWS_ACCOUNT_ID>:privacera-policysync-audit"
AUDITSERVER_POLICYSYNC_AUDIT_DESTINATION_SNS_REGION: "us-east-1"

Subscribe an SQS Queue with a Filter Policy

Because Audit Server promotes eventType to an SNS message attribute, a subscriber can use a subscription filter policy to receive only selected event types. The following example subscribes an Amazon SQS queue to the topic and delivers only POLICY_RESPONSE and LOADER events.

  1. Subscribe the queue to the topic. Use the SQS protocol and set the endpoint to the queue ARN.

    Subscription field Value
    Topic ARN arn:aws:sns:us-east-1:<AWS_ACCOUNT_ID>:privacera-policysync-audit
    Protocol SQS
    Endpoint arn:aws:sqs:us-east-1:<AWS_ACCOUNT_ID>:<AUDIT_QUEUE_NAME>
    Raw message delivery Enabled
  2. Set the subscription filter policy with the filter policy scope set to Message attributes:

    JSON
    1
    2
    3
    4
    5
    6
    {
      "eventType": [
        "POLICY_RESPONSE",
        "LOADER"
      ]
    }
    
  3. Confirm the subscription status is Confirmed.

A subscriber with no filter policy receives every published event. Add a filter policy on eventType only when a subscriber needs a subset of the stream.

Validation

  1. Generate policysync_audit traffic.
  2. Confirm that new messages appear on the topic's subscribers — for example, an SQS queue subscribed to the topic.
  3. If Solr is included in your destinations list, confirm records appear in Solr.
  4. In your Audit Server dashboard (for example, Grafana), confirm that SNS-related metrics are incrementing with traffic.
  5. If delivery failures occur, check the AUDITSERVER_POLICYSYNC_AUDIT_DESTINATIONS_SPOOL_BASE_DIR directory and Audit Server logs. Events dropped because they had no eventType are logged with a warning and counted as failed.