Overview of the Amazon S3 Events Integration
Organizations that store and manage event data in an AWS S3 bucket can configure their Cato account to automatically and continuously upload events to it.
This integration continuously pushes events directly from the Cato Cloud to the S3 bucket, unlike the eventsFeed API, which requires pulling data from Cato and can be affected by rate limiting.
The Cato Cloud uploads data to the S3 bucket every 60 seconds, or whenever more than 9.5 MB of uncompressed data is accumulated. Data is transferred securely over HTTPS.
Events are uploaded in a compressed .GZ format. Some clients, such as certain browsers, may automatically decompress these files without removing the .GZ extension. If this occurs, changing the file extension to LOG or TXT will correctly align the file's format with its extension.
Events Integration Use Case
Sample Company uses the IPS Suspicious Activity Monitoring feature, which generates a high volume of security events. They decide to create an AWS S3 bucket to store all the event data, which they can then integrate with their SIEM solution. Sample Company enables Events Integration and adds the S3 bucket as an integration to their Cato account so that all IPS events are automatically uploaded to the S3 bucket.
Prerequisites
Review the prerequisites for all Cato event integrations in Getting Started with Event Integrations
Configuring the AWS S3 Bucket
Create an S3 bucket and define an IAM policy that allows Cato to upload event data to it. Then, create an IAM role with Cato’s role ARN and attach the policy to the role.
The Cato Cloud uploads data to the S3 bucket every 60 seconds, or when more than 9.5 MB of uncompressed data is accumulated. Depending on different factors, data can sometimes be uploaded before it reaches 9.5 MB.
Cato uses HTTPS to upload data to the S3 bucket.
Notes:
Only regions for S3 buckets where Security Token Service (STS) is active are supported. For more information about enabling STS for a region, see the relevant AWS documentation.
The China S3 region is not supported.
To configure an S3 bucket in AWS to receive Cato event data:
Create a new S3 bucket with the appropriate AWS Region.
.png?sv=2026-02-06&spr=https&st=2026-07-19T06%3A31%3A50Z&se=2026-07-19T06%3A45%3A50Z&sr=c&sp=r&sig=l%2Fdmvg0iF0Lyuq9NUqcRp1eqJx%2FvS8SUUSweYovFwRQ%3D)
Create a new IAM policy for the S3 bucket that allows uploading data to the bucket.
In the policy, click the JSON tab, and copy the Cato JSON below.
Edit the JSON and add the name for the S3 bucket, and then paste it in the tab.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<bucket name>" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::<bucket name>/*" ] } ] }Review the settings for the policy and click Create policy.
Create a new IAM role with Cato's ARN to allow Cato to upload events for your account to the S3 bucket.
In the Select trusted entity page, add Cato's ARN to the role:
arn:aws:iam::428465470022:role/cato-events-integration{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::428465470022:role/cato-events-integration" }, "Condition": {"StringEquals": {"sts:ExternalId": "<CMA Account ID>"}}, "Action": "sts:AssumeRole" } ] }Click Next.
In the Add permissions page, attach the policy that you created earlier to the role.
Click Next.
Enter the Role name and click Create role.
The AWS S3 bucket is ready to integrate with your Cato account.
Adding an Event Integration for Amazon S3
Create a new integration for the AWS S3 bucket in the Events Integration tab, and add the Role ARN to the integration. This ARN gives Cato permission to upload the event data to the S3 bucket.
After you define and enable the AWS S3 integration, it takes a few minutes for Cato to start uploading events to the S3 bucket.
You can filter the events that are uploaded to the S3 bucket by event type or subtype. For example, you can upload only IPS events for your account. By default, no filter is applied, and all events are uploaded to the S3 bucket.
To add an AWS S3 bucket integration to upload events for your account:
From the navigation menu, select Resources > Event Integrations.
Select Enable integration with Cato events.
Click New. The New Integration panel opens.
Configure the settings for the S3 bucket integration:
Enter the Name for the integration.
Enter these Connection Details for the integration based on the settings in AWS:
Bucket Name - Exact name of the S3 bucket
Folder - Folder path within the S3 bucket, if necessary
Region - Region where the S3 bucket is hosted
Note: Only regions for S3 buckets where the Security Token Service (STS) is active are supported.
Role ARN - Copy and paste the ARN for the role for the S3 bucket
(Optional) Define the filter settings for events that are uploaded to the S3 bucket.
When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded.
Click Apply. The AWS S3 bucket is now integrated with your account.
Note: You can define up to three Event Integrations for your account.