S3 Integration
Integrate StepSecurity Harden-Runner insights and detections seamlessly with your Amazon S3 bucket. Streamline analysis using your existing SIEM and log management tools.
Last updated
Was this helpful?
Integrate StepSecurity Harden-Runner insights and detections seamlessly with your Amazon S3 bucket. Streamline analysis using your existing SIEM and log management tools.
Last updated
Was this helpful?
Enterprise users can export Harden-Runner security data to their own Amazon S3 bucket using the S3 Integration feature. This allows you to ingest StepSecurity insights and detections into your existing SIEM or log aggregation systems. It also provides the flexibility to build custom integrations and analytics on top of Harden-Runner data.
Before setting up the S3 Integration, ensure you have the following prerequisites in place:
Dedicated S3 Bucket: Create or designate an Amazon S3 bucket in your AWS account to receive the exported data.
IAM Role for StepSecurity: An AWS IAM Role that the StepSecurity platform can assume to write objects to your S3 bucket. You will configure a trust policy on this role to allow StepSecurity’s AWS account to assume it (using an External ID for security).
Follow the steps below to configure the S3 Integration via the StepSecurity Admin Console:
Log in to the StepSecurity Admin Console for your organization.
Navigate to the Integrations section
On this page, you will see an External ID value displayed – copy this value as it will be needed when creating the AWS IAM role.
In the CloudFormation console, provide the required input parameters:
S3 Bucket Name: The name of the S3 bucket that will store StepSecurity data (this should be the dedicated bucket you prepared).
IAM Role Name: A name for the new IAM role to create (for example, “StepSecurityS3IntegrationRole”). This role will be assumed by StepSecurity to write to your bucket.
External ID: Paste the External ID value copied from the StepSecurity integration settings page.
The CloudFormation template will provision the S3 bucket, a custom IAM managed policy granting necessary on that bucket, and an IAM role with a trust policy that allows StepSecurity’s AWS account to assume the role only when the correct External ID is provided. Once the stack deployment is complete, note the Role ARN output and ensure the S3 bucket has been created.
Return to the StepSecurity S3 Integration settings page in the Admin Console.
Enter the Bucket Name of the S3 bucket and the Role ARN of the IAM role that you just created via CloudFormation. These fields tell StepSecurity where to send the data and which role to assume.
Choose which types of Harden-Runner data you want to export to S3
You can enable Insights and/or Detections
Each of these can be toggled on or off independently. For each enabled data type, you must specify a custom S3 object key prefix format for the data files:
For example, you might use a prefix format like insights/{{.Year}}/{{.Month}}/{{.Day}}/ for Insights. In this case, Harden-Runner insight files will be organized into year/month/day folders within your bucket (e.g., insights/2025/04/09/…). Similarly, you could set detections/{{.Year}}/{{.Month}}/ for Detections. This templating allows you to partition and organize the logs by date, or other variables, to suit your retention and querying needs.
After providing path values, click on the "Test Connection" button to verify that the StepSecurity platform create objects inside the provided S3 bucket.
Decide whether the S3 integration should apply to all repositories in your organization or only specific repositories. You can choose the scope in the integration settings UI:
All repositories: The Harden-Runner data from every repository in your GitHub organization (that is monitored by StepSecurity) will be exported to S3.
Selected repositories: You can pick one or more repositories for which to enable the export. Only those repositories’ data will be sent to S3. This option is useful if you want to pilot the integration on a subset of projects or limit data export to certain critical repositories.
After filling in the Bucket Name and Role ARN, selecting the data types, and choosing the repository scope, click the Save button
The S3 integration will be activated. StepSecurity will now begin exporting the chosen Harden-Runner data to your S3 bucket. The data will continuously be delivered in near real-time as new workflow runs occur, allowing you to ingest it into your SIEM or other tools.
Once enabled, it’s a good practice to verify that everything is working:
Check AWS S3: In your AWS S3 console, navigate to the configured bucket. After some GitHub Actions runs have completed, you should see objects appearing under the specified prefixes (e.g., an insights/ folder or detections/ folder with timestamped files). This confirms that StepSecurity can assume the role and write to your bucket.
SIEM / Log Ingestion: Now that the data is flowing into S3, you can integrate it with your log management or SIEM platform. Many SIEM tools (like Splunk, Elastic, Datadog, etc.) can ingest logs directly from S3 buckets. Configure your SIEM to pull the objects from the bucket (using the folder structure you defined) to start analyzing Harden-Runner insights and detections alongside your other security data.
Custom Processing: Alternatively, you can build custom processing on this data. For example, you might use AWS Lambda functions triggered by new S3 objects to automate responses to certain detections, or use AWS Athena/Glue to query the insights data with SQL for ad-hoc analysis.
By setting up the S3 Integration, you gain greater flexibility in how you store, analyze, and respond to CI/CD security information from StepSecurity. This integration ensures that Harden-Runner’s rich telemetry can be seamlessly incorporated into your organization’s broader security operations and monitoring workflows.
Instead of manually creating the AWS resources, you can use the CloudFormation template shared to set them up quickly. Feel free to update the CloudFormation template as required before deploying it.
