Connection for Logging

Admin and Management
  • Published on Jan 6, 2026
  • 2 minute(s) read
Prev Next

Thrive provides access to audit logs through an Amazon S3 bucket, with near real time notifications delivered via Amazon SQS. This allows customers to integrate audit logs directly into their own security monitoring or SIEM platforms.

Access is provided using an IAM role created by Thrive, which your AWS environment will assume to retrieve logs securely.

What Thrive Provides

Once the setup is complete, Thrive will share the following details with you:

Resource

Description

Access Role ARN

IAM role your system will assume to access the audit logs

Bucket Name

Amazon S3 bucket containing the audit log files

SQS Queue URL

Amazon SQS queue that receives notifications when new logs are added

KMS Key ARN

Encryption key used to decrypt the log files

What You Need to Do

  1. Provide your IAM user ARN

    You must supply the ARN of the IAM user in your AWS account that will be used to assume the access role.

    Example:

    arn:aws:iam::YOUR_ACCOUNT_ID:user/splunk-user

  2. Allow your IAM user to assume the access role

    Attach the following IAM policy to your IAM user, replacing the role ARN with the value provided by Thrive:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "ACCESS_ROLE_ARN_WE_PROVIDE"
    }
  ]
}

    This policy allows your IAM user to assume the role that provides access to the audit logs.

  3. Configure your log ingestion system:

    1. Configure your system (for example Splunk) to:

    2. Use the IAM user credentials

    3. Assume the provided access role

    4. Poll the SQS queue for notifications

    5. Retrieve log files from the S3 bucket when notified

How the Logging Pipeline Works

  1. Audit log files are written to the S3 bucket at regular intervals (up to every 15 minutes when auditable activity occurs)

  2. Amazon S3 publishes a notification to an SNS topic.

  3. The SNS topic forwards the message to an SQS queue.

  4. Your system polls the SQS queue and receives the notification.

  5. Your system assumes the access role and retrieves the corresponding log file from S3.

Splunk Configuration (Optional)

If you are using Splunk, configure an SQS-Based S3 input using the Splunk Add-on for AWS:

  1. Use the IAM user credentials that can assume the access role.

  2. Enter the SQS queue URL provided by Thrive.

  3. Splunk will automatically poll the queue and retrieve log files from S3.

Reference

Splunk SQS-Based S3 Input Documentation

Syncronisation Frequency and Retention

Synchronisation Frequency

Audit logs are synchronised on a regular basis, with a maximum end to end delivery delay of up to 15 minutes from the time an event is generated to when it is available for consumption.

Log Retention

Audit logs are retained for a minimum of 30 days. This retention period ensures logs are available for operational monitoring, security investigation, and compliance purposes. Retention may be extended where required by contractual or regulatory obligations.

Related articles