On a scale from walk-in-the-park → scaling Mount Everest, how easy is it for you to search your S3 buckets? Retrieving data to respond to security incidents, demonstrate compliance, or extract insights shouldn’t require jumping through hoops or overpaying for access. Cribl Search has native support for platforms like Amazon Security Lake, Amazon S3, Azure Blob, and Google Cloud Storage, enabling seamless data analysis right at its source. You can target specific data, create new datasets in minutes, and start searches with just one click. Let’s take a look at how to search Amazon S3 buckets in a step-by-step guide.

Search for any terms, patterns, value/pairs, or data types, and then filter, summarize, and manipulate how your results are plotted and displayed. Cribl Search makes it easy to display results by fields, tables, charts, or colorization, shape results without having to re-execute searches, or export and share data or dashboards.

Setting up your Cribl Search environment to connect to your Amazon S3 object store takes only a few minutes. Check out this video or read below to get set up and start searching your data.

Start Creating an Amazon S3 Dataset Provider

The dataset provider tells Cribl where to query and what access credentials to use.

To set this up, navigate to Data → Dataset Providers in your Cribl Search dashboard. Click Create Provider in the top right and select Amazon S3 as your dataset provider type. Give the dataset provider a unique ID and description.

You’ll notice two supported authentication methods. These are critical to understand for properly configuring Cribl Search to search Amazon S3 buckets.

• AssumeRole gives Cribl Search cross-account access in your AWS environment by taking on a role with the appropriate level of permissions.
• AWS Keys uses a combination of an access key and a secret key.

In this tutorial, we’ll cover the first method: AssumeRole.

To fill in the rest of the fields, you’ll need to create a new role and appropriate policies in your AWS environment — but before you head to AWS, click the Trust Policy and Permission Policy buttons in Cribl Search to preview and copy the policies you’ll need for the new role.

• The Trust Policy allows Cribl Search to assume the role you’re about to create in our AWS account. There is a field called EXTERNAL_ID that will need to be populated if you plan on designating who can assume the role.
• The Permission Policy gives explicit access for our role to access our S3 bucket. There are a couple of MY_S3_BUCKET fields in this policy to enter the name of the S3 bucket you want to search.

Create Role and Appropriate Policies in AWS

Head to your AWS console and navigate to the IAM service. Start by creating the resource policy you’ll use for the role.

Navigate to Policies → Create Policy. Toggle the JSON button on the top to expose the JSON editor and paste the Permission Policy from the Cribl Search screen into the Policy editor in AWS. Remember to edit the policy to reflect the S3 bucket you plan to search. Click Next, give the policy a name, and click Create Policy.

Create a role by navigating to Role → Create Role. Select Custom Trust Policy and paste the Trust Policy from Cribl Search. Remember to update the EXTERNAL_ID to something relevant in your environment if you want to use it.

Click Next, then select the checkbox next to the access policy you just created. Click Next, give the role a name, and click Create Role. Click on the role you created and copy the ARN so you can continue setting up cross-account access.

Search Amazon S3 Buckets: Continue Configuring Your Dataset Provider

Return to Cribl Search and paste the ARN into the AssumeRole ARN field. Populate the External ID field if you chose one, then click Save, and your dataset provider is ready to use.

Set Up Your Dataset to Search Amazon S3 Buckets

Next, you’ll want to set up your dataset so that Cribl Search knows exactly which data to search from your Amazon S3.

Navigate to Datasets → Add Dataset, then give it a name and description. Select the Dataset Provider you just created. When you select a dataset provider, a couple of extra fields will pop up:

• Bucket Path refers to any prefix within your bucket that you want to be searched. I added my bucket name, an archive prefix, and some tokenized, time-based prefixes in this example.
• Path Filter accepts any Javascript expressions for any path filters you want to add.

Navigate to Processing to specify any specific data types you have for that data. Click Save and your dataset is ready to search.

Navigate back to the home page and start a search there or leverage the Search Action Button within the list of datasets to get started. A separate search window will open and return the search data for your S3 bucket.

Check out our documentation for more detailed info on how to set up Cribl Search to query Amazon S3 buckets, or visit our YouTube Channel to learn what else you can do with Cribl Search — including How to Search Azure Blob Storage Containers and How to Search Google Cloud Storage Buckets.