Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
Microsoft Sentinel not ingesting logs from AWS Log Archive account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 78%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Milt
0
Reputation points
I've followed all the steps necessary and double checked the configuration using this documentation: https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot?source=recommendations
Followed steps for Microsoft Sentinel doesn’t receive data from the Amazon Web Services S3 connector or one of its data types
Are there any other resources or troubleshooting that could be done for this?
NOTE: The AWS Account ID I'm using for the trust policy is Microsoft Generic account ID found on Google, for commercial. AS when I reach out to our support for Azure, there seems to be no location from AzureAccountId; but in CloudFormation template Microsoft provides, it notes this,
AWS: !Sub "arn:${AWS::Partition}:iam::${SentinelAWSAccount}:root
In this case, what would be the AWS Account ID? IS this found in our Sentinel Service?
Microsoft Security | Microsoft Sentinel
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridevi Machavarapu 10,455 Reputation points Microsoft External Staff Moderator2025-12-18T02:59:03.37+00:00 Based on what you’ve shared, the problem is with the AWS Account ID used in the IAM trust policy.
The value shown in the CloudFormation template as
SentinelAWSAccountis not a generic Microsoft AWS account ID. Using an account ID found online will prevent Microsoft Sentinel from assuming the role, and logs will not be ingested.Yes, the correct AWS Account ID comes from your Sentinel setup.
You can find it in the Azure portal:
- Go to Microsoft Sentinel
- Open your workspace
- Select Data connectors
- Open Amazon Web Services (S3)
- Check the IAM role / CloudFormation section
The AWS Account ID shown there is the one that must be used in the trust policy:
AWS: arn:${AWS::Partition}:iam::<SentinelAWSAccount>:rootIf the wrong AWS Account ID is used, the role assumption fails quietly. Sentinel can’t read from the S3 bucket, so no data shows up even though the connector looks configured.
Because you’re using an AWS Log Archive account, it’s also worth double-checking:
- The IAM role exists in the Log Archive account
- The role has read access to the S3 buckets with logs
- The S3 bucket policy allows that role
- Logs are actually present in the bucket
- The CloudFormation stack completed without errors
- The S3 bucket region matches the connector configuration
The setup and troubleshooting steps are covered in the official docs:
- https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
- https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot
After updating the trust policy with the correct AWS Account ID and re-running the CloudFormation stack, log ingestion should start.
Hope this helps!
Sign in to comment
Sign in to answer