Create an audit logs storage integration (Beta)

๐Ÿšฉ

This functionality is part of a premium beta feature thatโ€™s subject to quick, iterative changes. As a result, the latest product version may differ from the contents of this document.

The Sigma Audit Logs connection stores entries for 30 days, but you can retain audit log data for extended periods by exporting it to cloud storage. To ensure secure, scalable, and compliant exports, set up an audit log storage integration using role-based access control (RBAC) with appropriate permissions.

This document explains how to create a storage integration for exporting audit log data to an Amazon S3 bucket, Azure container, or Google Cloud Storage (GCS) bucket. For more information about audit logging with Sigma, see the following:

User requirements

The ability to create an audit log storage integration requires the following:

  • You must be assigned the Admin account type in Sigma.
  • You must be granted administrative permissions in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud (GCP).

Understanding the storage integration requirements

Sigmaโ€™s audit log data is provided by a Sigma-managed Snowflake connection. Therefore, the audit log storage integration creates an interface between Snowflake and your cloud storage platform. The integration, however, does not require your organization to maintain its own Snowflake account, and no part of the following procedures requires configuration within Snowflake.

Much of the storage integration configuration involves completing steps within your cloud storage platform. As these workflows are maintained and updated by a third party, the steps detailed in this document may differ from the cloud storage platformโ€™s current UI and terminology.

Configure a storage integration to access AWS

To configure a storage integration that allows Sigma to write audit log data to AWS, you must complete the following procedures:

Create an IAM policy in AWS

  1. Log into the AWS Management Console.

  2. Open the Identity and Access Management (IAM) console.

  3. In the left navigation pane, select Policies, then click Create policy.

  4. In the Create policy > Editor step, select the JSON tab.

  5. In the JSON editor, add a policy document that allows Snowflake to access a specific S3 bucket and folder.
    The following example policy (with bucket name and folder path prefix placeholders) meets the Snowflake requirements:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::{{bucket}}",
                "Condition": {
                    "StringLike": {
                        "s3:prefix": [
                            "{{prefix}}/*"
                        ]
                    }
                }
            },
            {
                "Action": [
                    "s3:PutObject",
                    "s3:DeleteObject"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::{{bucket}}/{{prefix}}/*"
            }
        ]
    }
    

    ๐Ÿ“˜

    You're not required to specify a folder path prefix if the role can upload files to any destination in the S3 bucket.

  6. Click Review policy.

  7. In the Create policy > Review step, enter a policy name and description, then click Create policy to save the new policy.

Create a custom IAM role in AWS

  1. Log into the AWS Management Console.

  2. Open the Identity and Access Management (IAM) console.

  3. In the left navigation pane, select Roles, then click Create role.

  4. In the Create role > Trust step, select Another AWS account as the type of trusted entity.

  5. In the Account ID field, enter your AWS account ID as a temporary value.

    ๐Ÿ“˜

    AWS temporarily uses this account ID to create the role. After you add an AWS integration in Sigma, you must update the IAM role to modify the trusted relationship and grant access to Snowflake.

  6. In the Options setting, select the Require external ID checkbox.

  7. In the External ID field, enter a placeholder value (for example, 0000), then click Next: Permissions.

    ๐Ÿ“˜

    The external ID isnโ€™t available at this point in the integration configuration procedure. Sigma generates this ID when you add an AWS integration, after which you must update the IAM role.

  8. In the Create role > Permissions step, locate and select the IAM policy you previously created, then click Next: Review.

  9. In the Create role > Review step, enter a role name and description, then click Create role to save the role with the attached IAM policy.

  10. In the roleโ€™s Summary page, record the Role ARN value for an upcoming step in the integration configuration process.

Add an AWS integration in Sigma

  1. Go to Administration > Account > General Settings.

    1. In the Sigma header, click your user avatar to open the user menu.

    2. Select Administration to open the Administration portal.

    3. In the side panel, select Account, then open the General Settings tab.

  2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click Add.

    ๐Ÿ“˜

    If the General Settings tab doesnโ€™t include an Audit Logging section, contact Support or your Sigma Account Executive to enable it for your organization.

  3. In the Create a storage integration for audit logs modal, provide the AWS credentials:

    1. In the Cloud Storage section, select the AWS option.

    2. In the Destination field, enter the S3 destination folder path that includes the bucket and folder path prefix specified in the IAM policy.

    3. In the Role ARN field, enter the Role ARN value recorded for the IAM role.

    4. Click Create storage integration.

  4. Sigma sends a confirmation email when the storage integration is successfully created and an Amazon Resource Name (ARN) is available for the IAM user. When this occurs, return to the Administration portal to record the credentials for an upcoming step in the integration configuration process:

    1. Go to the Account > General Settings tab.

    2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click View credentials.

    3. Reference the Sigma credentials section and record the External ID and IAM User ARN values.

    ๐Ÿ“˜

    Sigma doesnโ€™t currently support the ability to delete audit logs storage integrations through the Administration portal. If you need to delete an existing integration, please contact Support.

Update the custom IAM role in AWS

  1. Log into the AWS Management Console.

  2. Open the Identity and Access Management (IAM) console.

  3. In the left navigation pane, select Roles.

  4. Locate and select the custom IAM role created for the audit log storage integration.

  5. Select the Trust relationship tab and click Edit trust relationship.

  6. Update the policy document with External ID and IAM User ARN values recorded in Sigma.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<iam_user_arn>"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<external_id>"
                    }
                }
            }
        ]
    }
    
  7. Click Update policy to save the changes and complete the storage integration configuration.

  8. To schedule a recurring audit log export, see Export audit log data to cloud storage.

Configure a storage integration to access Azure

To configure a storage integration that allows Sigma to write audit log data to Azure, you must complete the following procedures:

Add an Azure integration in Sigma

  1. Go to Administration > Account > General Settings.

    1. In the Sigma header, click your user avatar to open the user menu.

    2. Select Administration to open the Administration portal.

    3. In the side panel, select Account, then open the General Settings tab.

  2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click Add.

    ๐Ÿ“˜

    If the General Settings tab doesnโ€™t include an Audit Logging section, contact Support or your Sigma Account Executive to enable it for your organization.

  3. In the Create a storage integration for audit logs modal, provide the Azure credentials:

    1. In the Cloud Storage section, select the Azure option.

    2. In the Destination field, enter an Azure container path.

    3. In the Tenant ID field, enter your organizationโ€™s Azure account tenant ID.

      ๐Ÿ“˜

      For guidance on finding your tenant ID, refer to How to find your Microsoft Entra tenant ID in Microsoftโ€™s documentation.

    4. Click Create storage integration.

  4. Sigma sends a confirmation email when the storage integration is successfully created and the Azure consent URL and multi-tenant app name are available. When this occurs, return to the Administration portal to record the credentials for an upcoming step in the integration configuration process:

    1. Go to the Account > General Settings tab.

    2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click View credentials.

    3. Record the Azure Consent URL and Azure Multi Tenant App Name values.

    ๐Ÿ“˜

    Sigma doesnโ€™t currently support the ability to delete audit logs storage integrations through the Administration portal. If you need to delete an existing integration, please contact Support.

Accept requested permissions

  1. Go to the URL specified by the Azure Consent URL value recorded in Sigma.

  2. In the Microsoft permissions request page, click Accept to grant the Snowflake service principal an access token on specified resources inside your tenant.

Add role assignment in Azure

  1. Log into the Microsoft Azure portal.

  2. Go to Azure Services > Storage accounts, then click on the storage account to which you are granting the Snowflake service principal permission.

  3. Click Access Control (IAM).

  4. In the Add dropdown, select Add role assignment.

  5. In the Role tab, select the Storage Blob Data Contributor option to grant the Snowflake service principal read and write access, then click Next.

  6. In the Members tab, click + Select members, then enter the Azure Multi Tenant App Name value (only characters preceding the underscore) recorded in Sigma to search for the member.

  7. Click Review + assign and wait for the role assignment to propagate. When the assignment successfully propagates (which may take several minutes), the storage integration configuration is complete.

  8. To schedule a recurring audit log export, see Export audit log data to cloud storage.

Configure a storage integration to access GCP

To configure a storage integration that allows Sigma to write audit log data to GCP, you must complete the following procedures:

Add a GCP integration in Sigma

  1. Go to Administration > Account > General Settings.

    1. In the Sigma header, click your user avatar to open the user menu.

    2. Select Administration to open the Administration portal.

    3. In the side panel, select Account, then open the General Settings tab.

  2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click Add.

    ๐Ÿ“˜

    If the General Settings tab doesnโ€™t include an Audit Logging section, contact Support or your Sigma Account Executive to enable it for your organization.

  3. In the Create a storage integration for audit logs modal, provide the GCP credentials:

    1. In the Cloud Storage section, select the GCP option.

    2. In the Destination field, enter the GCS destination folder path.

    3. Click Create storage integration.

  4. Sigma sends a confirmation email when the storage integration is successfully created and the service account credential is available. When this occurs, return to the Administration portal to record the credentials for an upcoming step in the integration configuration process:

    1. Go to the Account > General Settings tab.

    2. In the Audit Logging section, locate the Create an Audit Logs Storage Integration setting and click View credentials.

    3. Reference the Sigma credentials section and record the Service account value.

    ๐Ÿ“˜

    Sigma doesnโ€™t currently support the ability to delete audit logs storage integrations through the Administration portal. If you need to delete an existing integration, please contact Support.

Create a custom IAM role in GCP

  1. Log into the GCP console.

  2. From the home dashboard, go to the IAM & Admin page.

  3. In the left navigation pane, select Roles.

  4. Click + Create Role.

  5. In the Create Role page, enter a role title and description. You can also create an ID and set a role launch stage.

  6. Click + Add Permissions and select the following permissions:

    • storage.objects.create
    • storage.objects.delete
    • storage.objects.list
    • Storage.buckets.get
  7. Click Create.

Assign the custom IAM role in GCP

  1. Log into the GCP console.

  2. From the home dashboard, go to the Cloud Storage page.

  3. In the left navigation pane, select Buckets.

  4. Locate and select the applicable bucket.

  5. Select the Permission tab and click Grant Access.

  6. In the New principals field, search for and select the Service account value from Sigma.

  7. In the Select a role dropdown, select the custom IAM role created for the audit log storage integration.

  8. Click Save to complete the role assignment and the storage integration configuration.

  9. To schedule a recurring audit log export, see Export audit log data to cloud storage.