Setting up an AWS policy and role to configure archiving using the CLI

To configure archiving through the CDP CLI, you must first set up a policy and cross-account role in AWS IAM and obtain the cross-account role ARN.

In AWS, create a new S3 bucket or designate an existing bucket. Be sure to block all public access. The audit logs are written to the S3 bucket even without public access as the writing process is based on the AWS role and not on the internet access. Audit events will be archived under the /cdp/cp folder, which will be created automatically by CDP.

From the AWS account hosting the bucket, create an IAM policy that permits read and write access to the bucket.

For example, substituting your bucket name where indicated:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "cdpauditb",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<your-bucket-name-for-audit-archiving>"
            ]
        },
        {
            "Sid": "cdpauditbo",
            "Effect": "Allow",
            "Action": [
                "s3:ListMultipartUploadParts",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your-bucket-name-for-audit-archiving>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

From the AWS account hosting the bucket, create an IAM role for another AWS account, in this case, for the account running the CDP Control Plane.

Include the policy you just created as the only one in the role.
For detailed instructions on creating an AWS IAM policy and cross-account role, see Create a cross-account IAM role, starting with "1. Log into the AWS Management Console." Although the audit event archiving credential requires a unique policy and Role ARN, the process is largely the same as creating a role-based credential during environment registration.
To finish creating the role you will need the account ID (service manager account ID) and external ID. Run the following CDP CLI command:
```
cdp environments get-audit-credential-prerequisites \
  --cloud-platform AWS
```
note
The control plane uses a different external ID for each account or tenant. So, be sure to look up the account ID and external ID using a user in the account which is being configured.
When you finish the role creation process, copy the Role ARN from the role Summary page in the AWS Management Console. You will need it to create the audit event archiving credential in the next task.

Follow the process in the next topic, Creating an AWS credential for audit event archiving using the CLI, to create the audit archive credential.