Create an SQS Queue for Data Forwarder Input with IBM QRadar

To create an SQS Queue for use with IBM QRadar, perform the following procedure.

Prerequisites

Create an AWS S3 Bucket for Data Forwarder Input with IBM QRadar

Procedure

Sign into the AWS Management Console.
Go to Simple Queue Service.
Create a Standard Queue.
1. Enter a unique name for the queue.
2. Set the Message Retention period to 14 days.

Change the Access policy to use Advanced. Copy and paste the following configuration:

{
    "Version": "2008-10-17",
    "Id": "__default_policy_ID",
    "Statement": [
        {
            "Sid": "__sender_statement",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "SQS:SendMessage",
            "Resource": "arn:aws:sqs:<aws-region>:535601802221:<name-of-queue>",
            "Condition": {
                "ForAllValues:ArnEquals": {
                    "aws:SourceArn": "arn:aws:s3:::<name-of-s3-bucket>"
                }
            }
        }
    ]
}

To configure the Event Notification in the S3 bucket to use this queue, go to Properties > Event Notifications.
For the Destination SQS queue, set the ARN of the new queue.

Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue after they are retrieved. To view historical events or reload data, use the generic S3 option or copy the events to another prefix to copy it to the queue.

What to do next

See Creating a Data Forwarder for IBM QRadar.