Set Up Activity Log

The Activity Log contains detailed events for your Tableau deployment that you can use for compliance, monitoring, and auditing. You must complete the following steps in order to use Activity Log.

Prerequisites

To use the Activity Log, you must have the following:

  • Tableau Cloud with Advanced Management

  • Amazon Web Services (AWS) account

    • You'll need your own AWS account to complete these steps.
    • You'll also need the Tableau AWS account number (061095916136) in Step 3 below, to receive the activity log in your Amazon Simple Storage Service (S3) bucket.
  • Amazon Simple Storage Service (S3) bucket to receive data

  • AWS Key Management Service (KMS) single-region key for the Amazon S3 bucket that you create during setup.

Step 1. Create an AWS account

If you don’t already have an Amazon Web Services (AWS) account, you can sign up for an AWS account(Link opens in a new window) at the AWS website.

Step 2. Create an Amazon S3 bucket and set up permissions

  1. Create an Amazon S3 bucket to receive your log data. For more information, see Creating a bucket(Link opens in a new window) at the AWS website.

  2. Configure the Amazon S3 bucket with the following settings:

    1. Under Object Ownership, select ACLs disabled (recommended). This ensures that the bucket owner is the owner of all objects written to it.

    2. Under Bucket Versioning, select Enable. Bucket versioning must be enabled in order to replicate objects.

    3. Under Default encryption, select Enable.

    4. Choose AWS Key Management Service (SSE-KMS).

    5. Choose Enter AWS KMS key ARN.

    6. Click the Create key button that appears to create a new AWS Key Management Service (KMS) key.

      Note: KMS multi-region keys aren't supported.

    7. Select Symmetric Key type and Encrypt and decrypt Key usage.

    8. Name the key with an alias, and then click through until the Review page.

    9. Add the following statement to the Statement list inside the Key policy, to give Tableau access to encrypt objects in the S3 bucket.

      Note: This statement allows the Tableau IAM role to encrypt the objects placed in the Amazon S3 bucket. “kms:GenerateDataKey” is used to generate a data key to encrypt object replicas. “kms:Encrypt” is used to encrypt object replicas created in the target S3 bucket. “Resource”: “*” grants permission for the KMS key only to the replication role and doesn’t allow the role to elevate its permissions. For more information see Protecting data using server-side encryption with AWS Key Management Service (SSE-KMS)(Link opens in a new window) at the AWS website.

      {

      "Sid": "AllowTableauS3ReplicationSourceRoleToUseTheKey",

      "Effect": "Allow",

      "Principal": {

      "AWS": "arn:aws:iam::061095916136:role/prod-replication-rule-role"

      },

      "Action": [

      "kms:GenerateDataKey",

      "kms:Encrypt"

      ],

      "Resource": "*"

      }

    10. Click Finish to create the KMS key.

    11. Click Create bucket to create the Amazon S3 bucket.

  3. Update permissions on the Amazon S3 bucket policy.

    1. Open the Amazon S3 bucket and click the Permissions tab.

    2. Locate the Bucket policy section and click Edit.

    3. Add the following to the Statement list in the bucket policy. Replace S3-BUCKET-NAME with the name of the bucket.

      Note: This statement allows the Tableau IAM role to replicate objects into the bucket. Using "*" and "<path>/*" grants access to all prefixes in the specified bucket and path in the bucket, respectively. The "s3:ReplicateObject" and "s3:ReplicateDelete" permissions are the minimum permissions required to successfully replicate objects and delete markers. See Granting permissions when the source and destination buckets are owned by different AWS accounts(Link opens in a new window) at the AWS website.

    4. {

      "Sid": "TableauS3ReplicationRoleAccess",

      "Effect": "Allow",

      "Principal": {

      "AWS":

      "arn:aws:iam::061095916136:role/prod-replication-rule-role"

      },

      "Action": [

      "s3:ReplicateObject",

      "s3:ReplicateDelete"

      ],

      "Resource": [

      "arn:aws:s3:::S3-BUCKET-NAME",

      "arn:aws:s3:::S3-BUCKET-NAME/*"

      ]

      }

    5. Optional. If your destination bucket has a policy that restricts access through an Amazon Virtual Private Cloud (VPC) endpoint, you must change the bucket policy in addition to the TableauS3ReplicationRoleAccess that you just added. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses?(Link opens in a new window) at the AWS website.

      If the current bucket policy contains a VPC restriction like this:

      {

      "Sid": "Restricted VPC Access",

      "Effect": "Deny",

      "Principal": "*",

      "Action": "s3:",

      "Resource": [

      "arn:aws:s3:::<S3-BUCKET-NAME>",

      "arn:aws:s3:::<S3-BUCKET-NAME>/*"

      ],

      "Condition": {

      "StringNotEquals": {

      "aws:SourceVpc": "vpc-<ID>"

      }

      }

      }

      Then edit the “Condition” list to include the following:

      "StringNotLike": {

      "aws:userId": ["AROAQ4OMZWJUBZG3DRFW5:*"]

      }

      Note: You must use the "AROAQ4OMZWJUBZG3DRFW5" RoleId for the Tableau IAM role.

      The edited policy should look like the following:

      {

      "Sid": "Restricted VPC Access",

      "Effect": "Deny",

      "Principal": "*",

      "Action": "s3:",

      "Resource": [

      "arn:aws:s3:::<S3-BUCKET-NAME>",

      "arn:aws:s3:::<S3-BUCKET-NAME>/*"

      ],

      "Condition": {

      "StringNotLike": {

      "aws:userId": ["AROAQ4OMZWJUBZG3DRFW5:*"]

      },

      "StringNotEquals": {

      "aws:SourceVpc": "vpc-<ID>"

      }

      }

      }

      This policy explicitly allows the Tableau IAM role to ReplicateObject and ReplicateDelete, and additionally excludes the role from the existing explicit VPC deny statement.

    6. Click Save changes.

Step 3. Configure Tableau Cloud

  1. Navigate to your Tableau site.

  2. On the Settings page, select the Integrations tab.

  3. In the Activity Log section, select the Enable button.

  4. In the Set Up Connection dialog box, enter the following information:

    1. In the AWS account number box, enter your 12-digit AWS account number. This is the AWS account number associated with your Amazon S3 bucket location.

    2. In the S3 bucket name box, enter the name of the Amazon S3 bucket where Activity Log files will be delivered. This is the Amazon S3 bucket you created in Step 2. Create an Amazon S3 bucket and set up permissions. This must be a valid name according to AWS bucket name requirements.

    3. In the KMS key ARN box, enter the KMS key Amazon Resource Name (ARN) that you created in Step 2. Create an Amazon S3 bucket and set up permissions. The account number in the ARN must match the provided AWS account number, and be of valid format (i.e. arn:aws:kms:<region>:<account-id>:key/<key-id>).

  5. Click Submit.

    The connection status column will show In progress as the system attempts to replicate a text file to the target Amazon S3 bucket to test the connection.

    After the file has been successfully replicated to the target Amazon S3 bucket, the connection status column will state Pending verification and display a widget to input ‘Test file contents’. You might need to refresh the page to see updates.

Verify security file replication

  1. Go to the target Amazon S3 bucket and find the folder beginning with siteLuid (the remainder of the name is the site’s unique identifier).

  2. Find the text file named SECURITY_VERIFICATION_FILE.txt.

  3. Download and open the text file.

  4. Copy the text content inside the file.

  5. Return to the Settings page and paste the text contents into the Text file contents input field, and then click Submit.

  6. If the submitted content is correct, the connection status changes to Active. Activity Log is now enabled, and data will begin to replicate to the target Amazon S3 bucket.

  7. If the submitted content is incorrect, an error message will be displayed. Check that the content was copied correctly without extra characters or spaces.

Troubleshooting

Security verification file not appearing?

Other settings that are required for log files to reach the Amazon S3 bucket

  • The Amazon S3 bucket has Bucket Versioning enabled (under Properties > Bucket Versioning).

  • The Amazon S3 bucket has Block all public access enabled (under Permissions > Block public access (bucket settings)).

  • The Amazon S3 bucket has the following ACL permissions for only “Bucket owner” (under Permissions > Access Control List (ACL)):

    • Objects: List, Write

    • Bucket ACL: Read, Write

  • The KMS key permissions policy contains the statement in Step 2. Create an Amazon S3 bucket and set up permissions, step 2. i. (under Properties > Default encryption click on the ARN under AWS KMS Key ARN to go to the KMS key policy).

  • The Amazon S3 bucket has default encryption enabled and bucket key enabled (under Properties > Default encryption).

  • The Amazon S3 bucket permissions policy (under Permissions > Bucket Policy) exactly matches the one in the instructions. Ensure that you have replaced the example value “S3-BUCKET-NAME” with the Amazon S3 bucket you just created.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!