Set Up Activity Log
The Activity Log contains detailed events for your Tableau deployment that you can use for compliance, monitoring, and auditing. You must complete the following steps in order to use Activity Log.
Prerequisites
To use the Activity Log, you must have the following:
-
Tableau Cloud with Advanced Management
-
Amazon Web Services (AWS) account
- You'll need your own AWS account to complete these steps.
- You'll also need the Tableau AWS account number (
061095916136
) in Step 3 below, to receive the activity log in your Amazon Simple Storage Service (S3) bucket.
-
Amazon Simple Storage Service (S3) bucket to receive data
-
You’ll create an Amazon S3 bucket as part of the setup process. Amazon S3 is currently the only supported data delivery option.
-
You must create the Amazon S3 bucket in the same AWS region where your Tableau Cloud site is hosted. For more information about data locations, see Security in the Cloud(Link opens in a new window) and Tableau Cloud IP addresses for data provider authorization(Link opens in a new window).
Important: Pods in the Europe - Ireland region are moving to the Europe - Germany region as part of Tableau Cloud's migration to Hyperforce. If your site resides on a Europe - Ireland pod, you’ll need to reconfigure Activity Log to use an AWS S3 bucket in the new region, Europe - Germany. For more information, see AWS region change for sites on Europe - Ireland pods below.
-
-
AWS Key Management Service (KMS) single-region key for the Amazon S3 bucket that you create during setup.
Step 1. Create an AWS account
If you don’t already have an Amazon Web Services (AWS) account, you can sign up for an AWS account(Link opens in a new window) at the AWS website.
Step 2. Create an Amazon S3 bucket and set up permissions
-
Create an Amazon S3 bucket to receive your log data. For more information, see Creating a bucket(Link opens in a new window) at the AWS website.
-
Configure the Amazon S3 bucket with the following settings:
-
Under Object Ownership, select ACLs disabled (recommended). This ensures that the bucket owner is the owner of all objects written to it.
-
Under Bucket Versioning, select Enable. Bucket versioning must be enabled in order to replicate objects.
-
Under Default encryption, select Enable.
-
Choose AWS Key Management Service (SSE-KMS).
-
Choose Enter AWS KMS key ARN.
-
Click the Create key button that appears to create a new AWS Key Management Service (KMS) key.
Note: KMS multi-region keys aren't supported.
-
Select Symmetric Key type and Encrypt and decrypt Key usage.
-
Name the key with an alias, and then click through until the Review page.
-
Add the following statement to the Statement list inside the Key policy, to give Tableau access to encrypt objects in the S3 bucket.
Note: This statement allows the Tableau IAM role to encrypt the objects placed in the Amazon S3 bucket. “kms:GenerateDataKey” is used to generate a data key to encrypt object replicas. “kms:Encrypt” is used to encrypt object replicas created in the target S3 bucket. “Resource”: “*” grants permission for the KMS key only to the replication role and doesn’t allow the role to elevate its permissions. For more information see Protecting data using server-side encryption with AWS Key Management Service (SSE-KMS)(Link opens in a new window) at the AWS website.
{
"Sid": "AllowTableauS3ReplicationSourceRoleToUseTheKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::061095916136:role/prod-replication-rule-role"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
-
Click Finish to create the KMS key.
-
Click Create bucket to create the Amazon S3 bucket.
-
-
Update permissions on the Amazon S3 bucket policy.
-
Open the Amazon S3 bucket and click the Permissions tab.
-
Locate the Bucket policy section and click Edit.
-
Add the following to the Statement list in the bucket policy. Replace S3-BUCKET-NAME with the name of the bucket.
Note: This statement allows the Tableau IAM role to replicate objects into the bucket. Using "*" and "<path>/*" grants access to all prefixes in the specified bucket and path in the bucket, respectively. The "s3:ReplicateObject" and "s3:ReplicateDelete" permissions are the minimum permissions required to successfully replicate objects and delete markers. See Granting permissions when the source and destination buckets are owned by different AWS accounts(Link opens in a new window) at the AWS website.
-
Optional. If your destination bucket has a policy that restricts access through an Amazon Virtual Private Cloud (VPC) endpoint, you must change the bucket policy in addition to the TableauS3ReplicationRoleAccess that you just added. For more information, see How can I restrict access to my Amazon S3 bucket using specific VPC endpoints or IP addresses?(Link opens in a new window) at the AWS website.
If the current bucket policy contains a VPC restriction like this:
{
"Sid": "Restricted VPC Access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:",
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpc": "vpc-<ID>"
}
}
}
Then edit the “Condition” list to include the following:
"StringNotLike": {
"aws:userId": ["AROAQ4OMZWJUBZG3DRFW5:*"]
}
Note: You must use the "AROAQ4OMZWJUBZG3DRFW5" RoleId for the Tableau IAM role.
The edited policy should look like the following:
{
"Sid": "Restricted VPC Access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:",
"Resource": [
"arn:aws:s3:::<S3-BUCKET-NAME>",
"arn:aws:s3:::<S3-BUCKET-NAME>/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": ["AROAQ4OMZWJUBZG3DRFW5:*"]
},
"StringNotEquals": {
"aws:SourceVpc": "vpc-<ID>"
}
}
}
This policy explicitly allows the Tableau IAM role to ReplicateObject and ReplicateDelete, and additionally excludes the role from the existing explicit VPC deny statement.
-
Click Save changes.
{
"Sid": "TableauS3ReplicationRoleAccess",
"Effect": "Allow",
"Principal": {
"AWS":
"arn:aws:iam::061095916136:role/prod-replication-rule-role"
},
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Resource": [
"arn:aws:s3:::S3-BUCKET-NAME",
"arn:aws:s3:::S3-BUCKET-NAME/*"
]
}
Step 3. Configure Tableau Cloud
-
Navigate to your Tableau site.
-
On the Settings page, select the Integrations tab.
-
In the Activity Log section, select the Enable button.
-
In the Set Up Connection dialog box, enter the following information:
-
In the AWS account number box, enter your 12-digit AWS account number. This is the AWS account number associated with your Amazon S3 bucket location.
-
In the S3 bucket name box, enter the name of the Amazon S3 bucket where Activity Log files will be delivered. This is the Amazon S3 bucket you created in Step 2. Create an Amazon S3 bucket and set up permissions. This must be a valid name according to AWS bucket name requirements.
-
In the KMS key ARN box, enter the KMS key Amazon Resource Name (ARN) that you created in Step 2. Create an Amazon S3 bucket and set up permissions. The account number in the ARN must match the provided AWS account number, and be of valid format (i.e. arn:aws:kms:<region>:<account-id>:key/<key-id>).
-
-
Click Submit.
The connection status column will show In progress as the system attempts to replicate a text file to the target Amazon S3 bucket to test the connection.
After the file has been successfully replicated to the target Amazon S3 bucket, the connection status column will state Pending verification and display a widget to input ‘Test file contents’. You might need to refresh the page to see updates.
Verify security file replication
-
Go to the target Amazon S3 bucket and find the folder beginning with siteLuid (the remainder of the name is the site’s unique identifier).
-
Find the text file named
SECURITY_VERIFICATION_FILE.txt
. -
Download and open the text file.
-
Copy the text content inside the file.
-
Return to the Settings page and paste the text contents into the Text file contents input field, and then click Submit.
-
If the submitted content is correct, the connection status changes to Active. Activity Log is now enabled, and data will begin to replicate to the target Amazon S3 bucket.
-
If the submitted content is incorrect, an error message will be displayed. Check that the content was copied correctly without extra characters or spaces.
Troubleshooting
Security verification file not appearing?
-
The file could take up to 15 minutes to appear in the target Amazon S3 bucket due to Amazon S3 limitations.
If the connection status says "In progress", the file is still attempting to replicate. For more information, see Troubleshooting replication(Link opens in a new window) at the AWS website.
-
A connection status of Failed means that the file was unable to replicate successfully.
Confirm that the permissions on the Amazon S3 bucket policy and the AWS Key Management Service (KMS) key policy contain the appropriate statements. For more information, see the following topics at the AWS website:
- Troubleshooting replication(Link opens in a new window)
- Configuring replication when source and destination buckets are owned by different accounts(Link opens in a new window)
- I set up replication between my buckets, but new objects aren’t replicating. How can I troubleshoot this?(Link opens in a new window)
Other settings that are required for log files to reach the Amazon S3 bucket
-
The Amazon S3 bucket has Bucket Versioning enabled (under Properties > Bucket Versioning).
-
The Amazon S3 bucket has Block all public access enabled (under Permissions > Block public access (bucket settings)).
-
The Amazon S3 bucket has the following ACL permissions for only “Bucket owner” (under Permissions > Access Control List (ACL)):
-
Objects: List, Write
-
Bucket ACL: Read, Write
-
-
The KMS key permissions policy contains the statement in Step 2. Create an Amazon S3 bucket and set up permissions, step 2. i. (under Properties > Default encryption click on the ARN under AWS KMS Key ARN to go to the KMS key policy).
-
The Amazon S3 bucket has default encryption enabled and bucket key enabled (under Properties > Default encryption).
-
The Amazon S3 bucket permissions policy (under Permissions > Bucket Policy) exactly matches the one in the instructions. Ensure that you have replaced the example value “S3-BUCKET-NAME” with the Amazon S3 bucket you just created.
AWS region change for sites on Europe - Ireland pods
From August to December 2024, Tableau Cloud will be migrating to Salesforce's Hyperforce(Link opens in a new window) by pod. As part of the migration, pods in the Europe - Ireland region are moving to Europe - Germany region. If your site resides on a Europe - Ireland pod, you’ll need to reconfigure Activity Log to use an AWS S3 bucket in the new region, Europe - Germany.
For more information about the migration and when the Europe - Ireland pods are moving, see the Tableau Cloud Migration to Hyperforce(Link opens in a new window) knowledge article.