How Do I Configure Access to Distil Daily Logs?

In addition to the reporting available in the Distil Portal, we provide a daily export of raw access logs. The logs are available via an Amazon AWS S3 (S3) external bucket. You can import them into your existing log aggregation platform, with documentation regarding this type of sharing available here.

Note that this type of sharing does not place the shared S3 bucket in your account. Rather, it allows for very specific access using tools like the AWS CLI (Windows, Mac, and Linux) or third-party tools like S3browser (Windows) or S3cmd (Mac, Linux).

Distil provides daily logs access for a fee, but there is no utility cost to download the logs from S3.

NOTE: Speak with your account manager or contact support to get access to your daily logs.

Configuring access to Distil daily logs is a simple three-step process:

  1. Configure Your AWS Account
  2. Share the User ARN with Distil
  3. Verify Access and Retrieve Log Files

Step 1: Configure Your AWS Account

To securely retrieve your access logs, you need to provide Distil with the AWS IAM Amazon Resource Name (User ARN), which is used to retrieve the access logs. Often, customers create service accounts in AWS scoped only to this task and assign limited permissions. Whether you create a new service account user or use an existing account, you must provide Distil with the appropriate IAM ARN.

User ARNs are effectively longhand usernames in AWS that also indicate the parent account.



The user must have permission to read from the S3 service in order to fetch logs:

  1. Log into the AWS management console.
  2. Select the IAM Management console.
  3. Click Users.
  4. Select the appropriate user name.
  5. Click Attach User Policy.
  6. Locate the "S3 Full Access" policy.
  7. Click Select and Apply policy.

Step 2: Share the User ARN with Distil

To retrieve the appropriate user ARN and share it with Distil:

  1. Log in to AWS management console.
  2. In the Services menu, select IAM from the Security, Identity & Compliance section.
  3. Click Users on the left-hand menu.
  4. Select the appropriate user name.
  5. Locate the User ARN in the main panel under Summary.
  6. Copy the User ARN and send it to Distil.
    WARNING: Do NOT share your private key or secret access key with Distil at any time—only the User ARN is needed.

Step 3: Verify Access and Retrieve Log Files

Once Distil creates and grants you access to your S3 bucket, you will be provided with its name. Using it, you must verify that you can both list the bucket items and download any files.

The S3 bucket does not appear in your AWS account. Rather, it is accessible using tools like the AWS CLI (Windows, Mac, and Linux), or third-party tools like S3browser (Windows) or S3cmd (Mac, Linux).


Follow the AWS documentation instructions to use the AWS CLI. Remember to configure your AWS CLI to use the User ARN and secrets belonging to the same user you provided to Distil.

Once your AWS CLI is configured, you can easily view and retrieve your logs.

List Objects in your S3 Bucket

Obtain your S3 bucket objects list using the list-objects command:

aws s3api list-objects --bucket your-bucket-name

Download Objects in your S3 Bucket

Download S3 bucket objects using the get-object command:

aws s3api get-object --bucket your-bucket-name --key YYYY_MM_DD_somecustomer_com/a0cc80fe-ae18-4f1a-b863-039c2b757fd8_000000 ./YYYY_MM_DD_somecustomer_com

Other Tools

S3browser (Windows) or S3cmd (Mac, Linux)

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request