Skip to main content

Overview

This guide walks you through setting up the required AWS infrastructure for Meter’s SIEM integration using the AWS Management Console. You’ll create a Kinesis Data Stream and configure IAM roles to allow Meter to securely deliver security events to your AWS account.

Use cases

  • Set up SIEM integration without using infrastructure-as-code tools
  • Quick proof-of-concept or testing environment setup
  • Organizations that prefer GUI-based configuration
  • One-time deployment where Terraform automation isn’t needed

Prerequisites

  • AWS account with console access
  • Permissions to create IAM roles, policies, and Kinesis streams
  • Basic familiarity with AWS Console navigation
  • Screenshot callout: Verify you can access both the Kinesis and IAM services in the AWS Console

Setup

Before starting, you’ll need to:
  1. Log in to the AWS Management Console
  2. Determine which AWS region you want to use for your Kinesis stream
  3. Generate a secure external ID for IAM role assumption

Generate external ID

The external ID is a secret string that prevents unauthorized access to your IAM role.
  1. Open a terminal or command prompt
  2. Run the following command to generate a secure random string:
openssl rand -hex 32
  1. Save this value securely (you’ll need it multiple times during setup)
  2. Example output: 9167190a4095f18bb33c84d75f9596366ee0cd392332e72f130f66da38c320d3

How-to

Create Kinesis Data Stream

  1. Navigate to the AWS Kinesis service in the console
  2. Click Data streams in the left sidebar
  3. Click Create data stream
Screenshot callout: Show the Kinesis Data Streams page with the “Create data stream” button highlighted.
  1. Configure the data stream:
    • Data stream name: Enter a descriptive name (e.g., meter-siem-events)
    • Capacity mode: Select Provisioned
    • Provisioned shards: Enter 1 (suitable for most deployments)
Screenshot callout: Show the “Create data stream” form with the fields filled in.
  1. Expand Data stream configuration (optional settings):
    • Data retention period: Leave at default 24 hours or adjust based on your needs
    • Encryption: Enable if required for compliance
  2. Click Create data stream
  3. Wait for the stream status to change to Active (this takes 1-2 minutes)
Screenshot callout: Show the data stream details page with Status showing “Active”.
  1. Copy the ARN from the data stream details page
    • Format: arn:aws:kinesis:us-east-1:123456789012:stream/meter-siem-events
    • Save this ARN for later use in Meter Dashboard

Create IAM policy for Kinesis write access

  1. Navigate to the IAM service in the console
  2. Click Policies in the left sidebar
  3. Click Create policy
Screenshot callout: Show the IAM Policies page with “Create policy” button highlighted.
  1. Select the JSON tab
  2. Replace the default policy with the following (update the Resource ARN with your Kinesis stream ARN):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kinesis:PutRecord",
        "kinesis:PutRecords"
      ],
      "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/meter-siem-events"
    }
  ]
}
Screenshot callout: Show the JSON policy editor with the policy pasted in.
  1. Click Next
  2. Configure policy details:
    • Policy name: Enter MeterSIEMKinesisWritePolicy
    • Description: Enter Allows Meter to write security events to Kinesis stream
Screenshot callout: Show the policy details page with name and description filled in.
  1. Click Create policy

Create IAM role for Meter

  1. In the IAM console, click Roles in the left sidebar
  2. Click Create role
Screenshot callout: Show the IAM Roles page with “Create role” button highlighted.
  1. Configure trusted entity:
    • Trusted entity type: Select AWS account
    • An AWS account: Select Another AWS account
    • Account ID: Enter 458553032353 (Meter’s AWS account)
    • Options: Check Require external ID
    • External ID: Enter the external ID you generated earlier
Screenshot callout: Show the “Select trusted entity” page with AWS account and external ID fields filled in.
  1. Click Next
  2. Attach permissions policy:
    • Search for MeterSIEMKinesisWritePolicy (the policy you created earlier)
    • Check the box next to the policy
Screenshot callout: Show the permissions selection page with the policy checkbox selected.
  1. Click Next
  2. Configure role details:
    • Role name: Enter MeterSIEMIntegrationRole
    • Description: Enter Allows Meter to publish security events to Kinesis
Screenshot callout: Show the role details page with name and description filled in.
  1. Review the configuration and click Create role
  2. Find your newly created role in the roles list and click on it
  3. Copy the ARN from the role summary
    • Format: arn:aws:iam::123456789012:role/MeterSIEMIntegrationRole
    • Save this ARN for use in Meter Dashboard
Screenshot callout: Show the role details page with the ARN highlighted.

Verify trust policy

  1. In the role details page, click the Trust relationships tab
  2. Click Edit trust policy
Screenshot callout: Show the Trust relationships tab with “Edit trust policy” button.
  1. Verify the trust policy matches this format (your external ID will be different):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::458553032353:role/Meter-data-export"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "9167190a4095f18bb33c84d75f9596366ee0cd392332e72f130f66da38c320d3"
        }
      }
    }
  ]
}
Screenshot callout: Show the trust policy editor with the policy visible.
  1. If everything looks correct, click Cancel (no changes needed)

Configure in Meter Dashboard

  1. You now have all three required values:
    • AWS Kinesis ARN: From step 8
    • Role ARN: From step 26
    • External ID: From step 2
  2. Navigate to Meter Dashboard and follow the Configuring SIEM integration guide to complete the setup
  3. Use the Send test event feature in Dashboard to verify the configuration

Configuration reference

Kinesis Data Stream settings

SettingRecommended ValueNotes
Capacity modeProvisionedMore cost-effective for predictable workloads
Provisioned shards1Sufficient for most networks; scale up if needed
Data retention24 hoursBalance between cost and buffer time
EncryptionOptionalEnable for compliance requirements

IAM Policy permissions

The policy grants only the minimum required permissions:
PermissionPurpose
kinesis:PutRecordWrite individual events to the stream
kinesis:PutRecordsWrite batched events to the stream

IAM Role trust policy

ElementValuePurpose
Principal AWSarn:aws:iam::458553032353:role/Meter-data-exportMeter’s service role
Actionsts:AssumeRoleAllows role assumption
ConditionExternal ID matchPrevents confused deputy attacks

Best practices

Monitoring

  • Enable CloudWatch metrics: In the Kinesis stream settings, ensure shard-level metrics are enabled for IncomingBytes and IncomingRecords
  • Set up alarms: Create CloudWatch alarms to alert when no events are received for 10+ minutes
  • Monitor costs: Track Kinesis stream costs in AWS Cost Explorer, especially if you increase shard count

Operational

  • Document your setup: Save the Kinesis ARN, Role ARN, and External ID in your password manager or documentation system
  • Tag resources: Add tags to your Kinesis stream and IAM role for cost tracking (e.g., Environment: Production, ManagedBy: Security Team)
  • Test regularly: Send test events from Meter Dashboard after any AWS configuration changes

Performance optimization

  • Right-size shards: Monitor the WriteProvisionedThroughputExceeded metric; if you see throttling, increase the shard count
  • Adjust retention: If you only process events in real-time, consider reducing retention to 24 hours to save costs
  • Consider on-demand mode: For variable or unpredictable workloads, switch to on-demand capacity mode

Troubleshooting

Kinesis stream not appearing in AWS Console

Cause: You’re viewing the wrong region. Solution:
  • Check the region selector in the top-right corner of the AWS Console
  • Switch to the region where you created the stream
  • Kinesis streams are region-specific resources

IAM role creation fails with “Invalid principal”

Cause: The Meter AWS account ID was entered incorrectly. Solution:
  • Verify you entered 458553032353 exactly as shown
  • Ensure there are no extra spaces or characters
  • The account ID is 12 digits

”Unauthorized” error in Meter Dashboard

Cause: Trust policy misconfiguration or incorrect external ID. Solution:
  • Verify the external ID in the IAM trust policy exactly matches what you entered in Dashboard
  • Check that the Principal ARN is arn:aws:iam::458553032353:role/Meter-data-export
  • Ensure the IAM policy is attached to the role (check the Permissions tab)
  • Verify the Kinesis stream ARN in the policy matches your actual stream

Cannot find the IAM policy when creating the role

Cause: Policy creation failed or you’re searching in the wrong account. Solution:
  • Go back to IAM > Policies and verify MeterSIEMKinesisWritePolicy exists
  • If missing, recreate the policy following steps 9-16
  • When attaching policies, use the search box to filter by name

High AWS costs

Cause: Over-provisioned shards or extended data retention. Solution:
  • Review your actual event volume in CloudWatch metrics
  • If IncomingBytes is consistently low, reduce shard count to 1
  • Consider reducing data retention period from 24 hours to a shorter period
  • Switch to on-demand mode if your workload is unpredictable

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025
I