Skip to main content

Overview

This guide walks you through setting up the required AWS infrastructure for Meter’s SIEM integration using the AWS Management Console. You’ll create a Kinesis Data Stream and configure IAM roles to allow Meter to securely deliver security events to your AWS account.

Use cases

  • Set up SIEM integration without using infrastructure-as-code tools
  • Quick proof-of-concept or testing environment setup
  • Organizations that prefer GUI-based configuration
  • One-time deployment where Terraform automation isn’t needed

Prerequisites

  • AWS account with console access
  • Permissions to create IAM roles, policies, and Kinesis streams
  • Basic familiarity with AWS Console navigation
  • Screenshot callout: Verify you can access both the Kinesis and IAM services in the AWS Console

Setup

Before starting, you’ll need to:
  1. Log in to the AWS Management Console
  2. Determine which AWS region you want to use for your Kinesis stream
  3. Generate a secure external ID for IAM role assumption

Generate external ID

The external ID is a secret string that prevents unauthorized access to your IAM role.
  1. Open a terminal or command prompt
  2. Run the following command to generate a secure random string:
openssl rand -hex 32
  1. Save this value securely (you’ll need it multiple times during setup)
  2. Example output: 9167190a4095f18bb33c84d75f9596366ee0cd392332e72f130f66da38c320d3

How-to

Create Kinesis Data Stream

  1. In the AWS Console, navigate to Kinesis > Data streams and click Create data stream
  2. Configure:
    • Name: meter-siem-events (or your preferred name)
    • Capacity mode: Provisioned
    • Provisioned shards: 1
    • Data retention: 24 hours (adjust as needed)
  3. Click Create data stream and wait for status to become Active (1-2 minutes)
  4. Copy the stream ARN for use in Dashboard
Screenshot callout: Show the Kinesis stream details page with ARN.

Create IAM policy

  1. Navigate to IAM > Policies and click Create policy
  2. Select the JSON tab and paste this policy (replace the ARN with your stream ARN):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kinesis:PutRecord",
        "kinesis:PutRecords"
      ],
      "Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/meter-siem-events"
    }
  ]
}
  1. Click Next, name it MeterSIEMKinesisWritePolicy, and click Create policy
Screenshot callout: Show the JSON policy editor.

Create IAM role

  1. Navigate to IAM > Roles and click Create role
  2. Configure the trusted entity:
    • Trusted entity type: AWS account
    • Account ID: 458553032353 (Meter’s AWS account)
    • Check Require external ID and enter your generated external ID
  3. Click Next and attach the MeterSIEMKinesisWritePolicy policy
  4. Click Next, name the role MeterSIEMIntegrationRole, and click Create role
  5. Open the role and copy its ARN for use in Dashboard
Screenshot callout: Show the role details page with ARN. The trust policy should automatically be configured correctly, but you can verify it matches this format: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::458553032353:role/Meter-data-export"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "your-external-id-here"
        }
      }
    }
  ]
}

Complete setup in Dashboard

With your Kinesis ARN, Role ARN, and External ID, follow the Configuring SIEM integration guide to complete setup in Meter Dashboard.

Configuration reference

Kinesis Data Stream settings

SettingRecommended ValueNotes
Capacity modeProvisionedMore cost-effective for predictable workloads
Provisioned shards1Sufficient for most networks; scale up if needed
Data retention24 hoursBalance between cost and buffer time
EncryptionOptionalEnable for compliance requirements

IAM Policy permissions

The policy grants only the minimum required permissions:
PermissionPurpose
kinesis:PutRecordWrite individual events to the stream
kinesis:PutRecordsWrite batched events to the stream

IAM Role trust policy

ElementValuePurpose
Principal AWSarn:aws:iam::458553032353:role/Meter-data-exportMeter’s service role
Actionsts:AssumeRoleAllows role assumption
ConditionExternal ID matchPrevents confused deputy attacks

Best practices

Monitoring

  • Enable CloudWatch metrics: In the Kinesis stream settings, ensure shard-level metrics are enabled for IncomingBytes and IncomingRecords
  • Set up alarms: Create CloudWatch alarms to alert when no events are received for 10+ minutes
  • Monitor costs: Track Kinesis stream costs in AWS Cost Explorer, especially if you increase shard count

Operational

  • Document your setup: Save the Kinesis ARN, Role ARN, and External ID in your password manager or documentation system
  • Tag resources: Add tags to your Kinesis stream and IAM role for cost tracking (e.g., Environment: Production, ManagedBy: Security Team)
  • Test regularly: Send test events from Meter Dashboard after any AWS configuration changes

Performance optimization

  • Right-size shards: Monitor the WriteProvisionedThroughputExceeded metric; if you see throttling, increase the shard count
  • Adjust retention: If you only process events in real-time, consider reducing retention to 24 hours to save costs
  • Consider on-demand mode: For variable or unpredictable workloads, switch to on-demand capacity mode

Troubleshooting

Kinesis stream not appearing

Check the region selector in the top-right corner - Kinesis streams are region-specific.

”Invalid principal” error

Verify you entered Meter’s AWS account ID 458553032353 exactly as shown.

”Unauthorized” in Dashboard

  • Verify the external ID in IAM exactly matches what you entered in Dashboard
  • Check that the IAM policy is attached to the role
  • Confirm the Kinesis stream ARN in the policy matches your stream

Cannot find IAM policy when creating role

Verify MeterSIEMKinesisWritePolicy exists in IAM > Policies. If missing, recreate it.

High AWS costs

Monitor CloudWatch metrics and adjust shard count or retention period as needed. Consider switching to on-demand mode for unpredictable workloads.

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 09/29/2025