Realm.Security Documentation

Appearance

Cloudflare Integration

Setup AWS

In this step, you will be provisioning necessary infrastructure in AWS Console for the following purpose:

  • Create S3 Bucket to collect cloudflare logs
  • Create SQS Queue to receive notifications when new logs are written to the S3 bucket
  • Update S3 bucket properties to send notifications to the SQS queue
  • Create and attach a policy to allow AWS S3 service to send notifications to the queue
  • Create a Realm IAM user with permission to read from the Cloudflare S3 bucket and notification SQS queue
  • Create AWS Access Key and AWS Secret Access Key for Realm IAM user

Create S3 Bucket

  1. Go to S3
  2. Create Bucket
  3. Fill out details

Name: rlm-cloudflare-logs

  1. Copy the ARN of the bucket

Create SQS Queue for notifications

  1. Go to SQS Queue
  2. Create Queue
  3. Fill out details

Name: rlm-cf-event-notifications

  1. Copy the ARN of the queue

Create IAM policy

  1. Go to IAM > Policy
  2. Create Policy
  3. Click JSON
  4. Paste the following and replace s3_bucket_arn with the name of your s3 bucket and sqs_queue_arn with the SQS queue from above
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "s3ReadObjects",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "<s3_bucket_arn>",
                "<s3_bucket_arn>/*"
            ]
        },
        {
            "Sid": "sqsEventNotifications",
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": [
                "<sqs_queue_arn>"
            ]
        }
    ]
}
  1. Click next.
  2. Enter policy name: rlm-s3-notifications-and-read
  3. Enter description: Grant read access to s3 cloud trail bucket as well as receiving s3 notifications from the SQS queue.
  4. Click Create Policy.

Create User with credentials

  1. Go to IAM > Users > Create User
  2. Enter Name: rlm-cf-s3-read-user
  3. Click Next
  4. Click Attach Policy Directly
  5. Select the policy created in the previous step
  6. Click Next
  7. Click Create user
  8. Select the user that was just created
  9. Copy the ARN of the user, and save it to a safe location - you will need it in the next step
  10. Go to Security Credentials
  11. Click Create Access Key
  12. Select Third party Service
  13. Check the confirmation checkbox
  14. Click Next
  15. Enter description: Credentials for Realm.Security to read Cloudflare logs from S3 bucket
  16. Copy and save the Access Key and Secret access key in a safe location, you will need to paste these two values in Realm console when configuring the S3 input feed.

Update SQS policy

  1. Go to SQS Queues
  2. Select the rlm-cf-event-notification queue
  3. Go to Queue Policies > Edit Access policy
  4. Replace the policy JSON with the following
{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "Stmt1737666508309",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "sqs:SendMessage",
      "Resource": "<sqs_queue_arn>"
    },
    {
      "Sid": "Stmt1737666814690",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<iam_user_arn>"
      },
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:DeleteMessage",
        "sqs:ReceiveMessage"
      ],
      "Resource": "<sqs_queue_arn>"
    }
  ]
}
  1. Click Save

Configure notifications for S3 bucket

  1. Login to AWS console
  2. Go to S3 buckets
  3. Select the cloudflare log bucket
  4. Go to Properties
  5. Go to Event Notifications and click on Create Event Notification
  6. Fill out the event notification details

Event name: RlmCFCreateEvents
Select All object create events checkbox
Destination: Select SQS Queue
In the drop down, select SQS queue that you created in the step above

  1. Click Save Changes

Setup Cloudflare

In this section, you will configure Cloudflare to export logs to S3 bucket created above.

Logpush

Select Analytics & Logs > Logpush. Logpush

Create Logpush job

Create Logpush job

Select Destination

Select Amazon S3 object storage Select Destination

S3 Bucket Details

Enter details for AWS S3 bucket where logs will be forwarded to. S3 Bucket Details

S3 Bucket Permissions

Copy S3 bucket permissions from Cloudflare console and add it to the bucket in the AWS console. S3 Bucket Permissions

Click Continue.

At this point, Cloudflare will write a ownership challenge text file to the S3 bucket.

Copy Ownership Token

In AWS console, go to the S3 bucket, locate and open a file called ownership-challenge-xxxxxxx.txt. Copy the contents of the file.

Copy Ownership Token

Paste Ownership Token

Go to Cloudflare console and paste the ownership challenge token in the box provided.

Paste Ownership Token

If all goes well, you should see a verification success message.

Select Dataset

Select one or more log datasets to push to S3 bucket. Select Dataset