Amazon Monitron is no longer open to new customers. Existing customers can continue to use the service as normal. For capabilities similar to Amazon Monitron, see our [blog post](https://aws.amazon.com/blogs/machine-learning/maintain-access-and-consider-alternatives-for-amazon-monitron).
# Exporting your Amazon Monitron data to Amazon S3
You may sometimes want to access the raw data that Amazon Monitron is storing for you, in order to stay informed about exactly what kind of data you’re securely storing with AWS.
You can get your raw data by filing a support ticket with AWS, and by giving Amazon Monitron permission to deliver your data to you.
To get real time operational data for Amazon Monitron resources that can be consumed programmatically, consider exporting your data using Kinesis streams. For more information, see [Amazon Monitron Kinesis data export v2](https://docs.aws.amazon.com/Monitron/latest/user-guide/monitron-kinesis-export-v2.html).
**Topics**
+ [Prerequisites](exporting-data-procedure.md)
+ [Exporting your data with CloudFormation (recommended option)](onetime-download-cflink.md)
+ [Exporting your data with the console](onetime-download-console.md)
+ [Exporting your data with CloudShell](export-shell.md)
# Prerequisites
To successfully export your Amazon Monitron data, the following prerequisites must be met.
+ You must not already have another export (of Amazon Monitron data) running in the same region.
+ You cannot have run another export in same region in past 24 hours.
# Exporting your data with CloudFormation (recommended option)
**Topics**
+ [Step 1: Create your Amazon S3 bucket, IAM role, and IAM policies.](#gdpr-cloudfront-makestack)
+ [Step 2: Note your resources](#gdpr-cloudfront-resources)
+ [Step 3: Create the support case](#gdpr-cloudfront-case)
## Step 1: Create your Amazon S3 bucket, IAM role, and IAM policies.
1. Sign in to your AWS account.
1. Open a new browser tab with the following URL.
```
https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://s3.us-east-1.amazonaws.com/monitron-cloudformation-templates-us-east-1/monitron_manual_download.yaml&stackName=monitronexport
```
1. On the CloudFormation page that opens, in the upper right corner, select the region in which you are using Amazon Monitron.
1. Choose **Create stack**.
![\[CloudFormation quick create stack interface with template URL, stack name, and IAM role options.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-1.png)
1. On the next page, choose the refresh icon as often as you like until the status of the stack (monitronexport) is CREATE\$1COMPLETE.
![\[CloudFormation stack details page showing monitronexport stack in CREATE_IN_PROGRESS state.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-2.png)
## Step 2: Note your resources
1. Choose the **Outputs** tab.
1. Note the value of the key `MonRoleArn`.
1. Note the value of the key `S3BucketArn`.
1. Note your account ID from the upper right corner of the page).
1. Note the region you chose in Step 1. It also now appears at the top of the page, to the left of your account ID.
![\[CloudFormation stack outputs page showing MonRoleArn and S3BucketArn with descriptions.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-3.png)
## Step 3: Create the support case
1. From your AWS console, choose the question mark icon near the upper right corner of any page, then choose **Support Center**.
![\[AWS console interface showing IAM dashboard with Support Center dropdown menu highlighted.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-support-question-mark.png)
1. On the next page, choose **Create case**.
![\[Support Center interface with Quick solutions, Active cases, and Create case button.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-4.png)
1. On the **How can we help?** page, do the following:
1. Choose **Account and billing support**.
1. Under **Service**, choose **Account**.
1. Under **Category**, choose **Compliance & Accreditations**.
1. Choose **Severity**, if that option is available to you based on your support subscription.
1. Choose **Next step: Additional information**.
![\[Support case form with Account and billing selected, and service details specified.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-5.png)
1. In **Additional information** do the following:
1. Under **Subject**, enter **Amazon Monitron data export request**.
1. In the **Description** field, enter:
1. your account ID
1. the region of the bucket you created
1. the ARN of the bucket you created (for example: "arn:aws:s3:::bucketname")
1. the ARN of the role you created (for example: "arn:aws:iam::273771705212:role/role-for-monitron")
![\[Form for Amazon Monitron data export request with fields for account and bucket details.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-6.png)
1. Choose **Next step: Solve now or contact us**.
1. In **Solve now or contact us** do the following:
1. In **Solve now**, select **Next**.
![\[Support options interface with "Solve now" and "Contact us" buttons, and recommendations.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-7.png)
1. In **Contact us**, choose your **Preferred contact language** and preferred method of contact.
1. Choose **Submit**. A confirmation screen with your case ID and details will be displayed.
![\[Contact options with language selection and choices for Web, Phone, or Chat communication.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-8.png)
An AWS customer support specialist will get back to you as soon as possible. If there are any issues with the steps listed, the specialist may ask you for more information. If all the necessary information has been provided, the specialist will let you know as soon as your data has been copied to the Amazon S3 bucket that you created above.
# Exporting your data with the console
**Topics**
+ [Step 1: Setting up your Amazon S3 bucket](#gdpr-console-s3)
+ [Step 2: Give Amazon Monitron permission to access Amazon S3](#gdpr-console-set-policy)
+ [Step 3: Create the role](#gdpr-console-create-role)
+ [Step 4: Create the trust policy](#gdpr-console-trust-policy)
+ [Step 5: Create the support case](#gdpr-console-case)
## Step 1: Setting up your Amazon S3 bucket
1. Open the [Amazon S3 console](https://console.aws.amazon.com/s3/).
1. Choose **Create bucket**.
![\[Amazon S3 console interface showing Buckets section with Create bucket button highlighted.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-create-bucket.png)
1. Name your bucket and select an appropriate region. Then, at the bottom of the page, choose **Create bucket**.
**Important**
At this time, Amazon Monitron is only supported in three regions:
US East (N. Virginia) us-east-1
EU (Ireland) eu-west-1
Asia Pacific (Sydney) ap-south-east-2
Therefore, your Amazon S3 bucket must be in one of those regions.
It must also be the same region in which you are using the Amazon Monitron service.
![\[Create bucket interface showing bucket name "monitron-export-example" and AWS Region "US East (N. Virginia)".\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-create-bucket-2.png)
1. Review the rest of the options on the page, and make the appropriate choices, depending on your security needs and policies.
**Important**
You are responsible for taking the appropriate steps to secure your data. We strongly recommend using server-side encryption and blocking public access to your bucket.
1. Using the search box, find the bucket you just created, and then choose it.
![\[AWS S3 console showing a newly created bucket named "monitron-export-example" in the bucket list.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-choose-s3-bucket.png)
1. From the **Properties** tab, make a note of the name, ARN, and region of the bucket.
![\[S3 bucket properties showing name, region, ARN, and creation date for monitron-export-example.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-s3-properties-tab.png)
## Step 2: Give Amazon Monitron permission to access Amazon S3
1. Open the [ IAM console](https://console.aws.amazon.com/iam/) and choose **Policies**.
![\[IAM Dashboard showing resource counts, recent updates, and tools for policy management.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-9.png)
1. Choose **Create policy**.
![\[IAM Policies page with options to search, filter, and create a new policy.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-10.png)
1. Select the **JSON** tab.
![\[Policy editor interface showing JSON structure for specifying permissions in IAM.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-11.png)
1. Delete the default JSON text so that the form is empty.
1. Paste in the bucket access policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
]
}
```
------
![\[IAM policy editor interface showing JSON code for S3 bucket permissions.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-12.png)
1. Select **Next**.
1. On the **Review and create** page, do the following:
1. In **Policy details**, enter a **Policy name** and optional **Description**.
1. Leave the **Permissions defined in this policy** section as is.
1. In **Add tags — *optional*, you can choose to add tags to keep track of your resources.**.
1. Choose **Create policy**.
![\[Policy creation interface showing policy details, permissions, and tags sections.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-13.png)
## Step 3: Create the role
1. Open the [ IAM console](https://console.aws.amazon.com/iam/) and choose **Roles**.
![\[IAM Dashboard showing resource counts, recent updates, and available tools.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-14.png)
1. Choose **Create role**.
![\[IAM roles interface showing 116 roles and a prominent "Create role" button.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-15.png)
1. On the **Select trusted entity**, in **Trusted entity type**, choose **AWS account**.
1. In **An AWS account**, choose **This account**. You can customize additional setting using **Options**.
1. Choose **Next**.
![\[AWS account selection interface with trusted entity types and account options.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-16.png)
1. In **Add permissions**, for **Permissions policies**, search for the policy you just created in the search box, and select your policy.
![\[Add permissions interface showing search for "monitron-policy" with one matching result selected.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-17.png)
1. On the **Name, review, and create** page do the following:
1. In **Role details** enter a **Role name** and optional **Description**.
1. You can choose to ignore **Step 1: Select trusted entities** and **Step 2: Add permisions**.
1. For **Step 3: Add tags**, for **Add tags — *optional***, add optional tags to keep track of your resources.
1. Choose **Create role**.
![\[Form for creating a new role with fields for role name, description, trust policy, and permissions.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-18.png)
## Step 4: Create the trust policy
1. Search for the role you just created and choose the role.
![\[IAM Roles page showing search results for "monitron-role" with one matching role listed.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-19.png)
1. Select the **Trust relationships** tab.
![\[IAM role details page showing Trust relationships tab and Edit trust policy button.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-20.png)
1. Choose **Edit trust relationship**.
![\[Trust relationships tab with Edit trust relationship button highlighted.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-edit-trust-relationship.png)
1. Erase the default JSON text so that the form is empty.
1. Paste in the policy that allows Amazon Monitron to assume the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["monitron.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}]
}
```
------
![\[Form for creating a new role with fields for role name, description, trust policy, and permissions.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-18.png)
1. Choose **Update Trust Policy**.
## Step 5: Create the support case
1. From your AWS console, choose the question mark icon near the upper right corner of any page, then choose **Support Center**.
![\[AWS console interface showing IAM dashboard with Support Center dropdown menu highlighted.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-support-question-mark.png)
1. On the next page, choose **Create case**.
![\[Support Center interface with Quick solutions, Active cases, and Create case button.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-4.png)
1. On the **How can we help?** page, do the following:
1. Choose **Account and billing support**.
1. Under **Service**, choose **Account**.
1. Under **Category**, choose **Compliance & Accreditations**.
1. Choose **Severity**, if that option is available to you based on your support subscription.
1. Choose **Next step: Additional information**.
![\[Support case form with Account and billing selected, and service details specified.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-5.png)
1. In **Additional information** do the following:
1. Under **Subject**, enter **Amazon Monitron data export request**.
1. In the **Description** field, enter:
1. your account ID
1. the region of the bucket you created
1. the ARN of the bucket you created (for example: "arn:aws:s3:::bucketname")
1. the ARN of the role you created (for example: "arn:aws:iam::273771705212:role/role-for-monitron")
![\[Form for Amazon Monitron data export request with fields for account and bucket details.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-6.png)
1. Choose **Next step: Solve now or contact us**.
1. In **Solve now or contact us** do the following:
1. In **Solve now**, select **Next**.
![\[Support options interface with "Solve now" and "Contact us" buttons, and recommendations.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-7.png)
1. In **Contact us**, choose your **Preferred contact language** and preferred method of contact.
1. Choose **Submit**. A confirmation screen with your case ID and details will be displayed.
![\[Contact options with language selection and choices for Web, Phone, or Chat communication.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-8.png)
An AWS customer support specialist will get back to you as soon as possible. If there are any issues with the steps listed, the specialist may ask you for more information. If all the necessary information has been provided, the specialist will let you know as soon as your data has been copied to the Amazon S3 bucket that you created above.
# Exporting your data with CloudShell
**Topics**
+ [Step 1: Creating an Amazon S3 bucket (with AWS CloudShell)](#create-s3-with-shell)
+ [Step 2: Granting Amazon Monitron access to your Amazon S3 bucket (with AWS CloudShell)](#create-policy-with-shell)
+ [Step 3: Creating your support ticket](#create-support-ticket)
## Step 1: Creating an Amazon S3 bucket (with AWS CloudShell)
1. Log in to the AWS Console.
1. Open AWS CloudShell
[AWS CloudShell](https://docs.aws.amazon.com//cloudshell/latest/userguide/welcome.html) is a command-line environment that operates inside your browser. Inside AWS CloudShell, you can use the AWS Command Line Interface to launch and configure many AWS services.
1. In AWS CloudShell, enter the following command, where bucketname is the name of the bucket you are creating:
```
$ aws s3api create-bucket --bucket bucketname --region us-east-1
```
This command creates an Amazon S3 bucket to store your raw data. You will be able to easily access your bucket from the console, and download your data at your convenience. For more information, see [Creating, configuring, and working with Amazon S3 buckets](https://docs.aws.amazon.com//AmazonS3/latest/userguide/creating-buckets-s3.html).
**Important**
You are responsible for taking the appropriate steps to secure your data. We strongly recommend using server-side encryption and blocking public access to your bucket.
In the command above, the bucket is created in the US East (N. Virginia) Region. You can optionally specify a different Region in the request body. For more information, see [Regions, Availability Zones, and Local Zones](https://docs.aws.amazon.com//AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html).
You should see output that looks something like this:
```
{ "Location": "/bucketname" }
```
1. Identify the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com//general/latest/gr/aws-arns-and-namespaces.html) of the bucket you created, which will be:
```
arn:aws:s3:::bucketname
```
## Step 2: Granting Amazon Monitron access to your Amazon S3 bucket (with AWS CloudShell)
1. Paste the code below into a text editor, and save it as: monitron-assumes-role.json. Do not use Microsoft Word, which will add extra characters. Use a simple text editor like Notepad or TextEdit.
This policy gives Amazon Monitron permission to assume the role that will allow it to access your S3 bucket. For more information, see [ Policies and permissions in IAM.](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies.html)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["monitron.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}]
}
```
------
1. Paste the text below into a text editor, and save it as: monitron-role-accesses-s3.json
This policy will allow Amazon Monitron (using the role created above) to access your Amazon S3 bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
]
}
```
------
1. In the text file you just created, replace every occurrence of *bucketname* with the name of your bucket.
For example, if the name of your bucket is relentless, then your file will look like this:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::relentless"
]
},
{
"Action": [
"s3:PutObject",
"s3:GetBucketAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::relentless/*"
]
}
]
}
```
------
1. Upload both of the json files that you just created to CloudShell in the home directory.
To upload a file, choose Actions from the upper right hand corner of the CloudShell console page, then choose Upload file.
1. Enter the following on the command line in CloudShell:
**aws iam create-role --role-name role-for-monitron --assume-role-policy-document "cat monitron-assumes-role.json"**
This command creates the role and attaches the monitron-assumes-role policy.
You should see output that looks something like this:
```
{
"Role": {
"Path": "/",
"RoleName": "role-for-monitron",
"RoleId": "AROAT7PQQWN6BMTMASVPP",
"Arn": "arn:aws:iam::273771705212:role/role-for-monitron",
"CreateDate": "2021-07-14T02:48:15+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"monitron.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}]
}
}
}
```
Take note of the ARN value for the role you just created. You will need it later.
In our example, the ARN value is: `arn:aws:iam::273771705212:role/role-for-monitron`
1. Enter the following on the command line in CloudShell:
** aws iam create-policy --policy-name role-uses-bucket --policy-document "cat role-uses-bucket.json"**
This command creates the monitron-role-accesses-s3 policy.
You should see output that looks something like this:
```
{
"Policy": {
"PolicyName": "role-uses-bucket",
"PolicyId": "ANPAT7PQQWN6I5KLORSDQ",
"Arn": "arn:aws:iam::273771705212:policy/role-uses-bucket",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2021-07-14T02:19:23+00:00",
"UpdateDate": "2021-07-14T02:19:23+00:00"
}
}
```
Take note of the ARN value for the policy that you just created. You will need it for the next step.
In our example, the ARN value is:
```
arn:aws:iam::273771705212:policy/role-uses-bucket
```
1. Enter the following on the command line in CloudShell, replacing the ARN with the ARN for your role-uses-bucket policy:
```
aws iam attach-role-policy --role-name role-for-monitron --policy-arn
arn:aws:iam::273771705212:policy/role-uses-bucket
```
This command attaches the monitron-role-accesses-s3 policy to the role you just created.
Now you have created and provisioned an Amazon S3 bucket, a role that Amazon Monitron can assume, a policy that will allow Amazon Monitron to assume that role, and another policy that will allow the service using that role to use your Amazon S3 bucket.
You are responsible for taking the appropriate steps to secure your data. We strongly recommend using server-side encryption and blocking public access to your bucket. For more information, see [ Blocking public access](https://docs.aws.amazon.com//AmazonS3/latest/userguide/access-control-block-public-access.html).
## Step 3: Creating your support ticket
1. From your AWS console, choose the question mark icon near the upper right corner of any page, then choose **Support Center**.
![\[AWS console interface showing IAM dashboard with Support Center dropdown menu highlighted.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/gdpr-support-question-mark.png)
1. On the next page, choose **Create case**.
![\[Support Center interface with Quick solutions, Active cases, and Create case button.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-4.png)
1. On the **How can we help?** page, do the following:
1. Choose **Account and billing support**.
1. Under **Service**, choose **Account**.
1. Under **Category**, choose **Compliance & Accreditations**.
1. Choose **Severity**, if that option is available to you based on your support subscription.
1. Choose **Next step: Additional information**.
![\[Support case form with Account and billing selected, and service details specified.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-5.png)
1. In **Additional information** do the following:
1. Under **Subject**, enter **Amazon Monitron data export request**.
1. In the **Description** field, enter:
1. your account ID
1. the region of the bucket you created
1. the ARN of the bucket you created (for example: "arn:aws:s3:::bucketname")
1. the ARN of the role you created (for example: "arn:aws:iam::273771705212:role/role-for-monitron")
![\[Form for Amazon Monitron data export request with fields for account and bucket details.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-6.png)
1. Choose **Next step: Solve now or contact us**.
1. In **Solve now or contact us** do the following:
1. In **Solve now**, select **Next**.
![\[Support options interface with "Solve now" and "Contact us" buttons, and recommendations.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-7.png)
1. In **Contact us**, choose your **Preferred contact language** and preferred method of contact.
1. Choose **Submit**. A confirmation screen with your case ID and details will be displayed.
![\[Contact options with language selection and choices for Web, Phone, or Chat communication.\]](http://docs.aws.amazon.com/Monitron/latest/user-guide/images/s3-export-8.png)
An AWS customer support specialist will get back to you as soon as possible. If there are any issues with the steps listed, the specialist may ask you for more information. If all the necessary information has been provided, the specialist will let you know as soon as your data has been copied to the Amazon S3 bucket that you created above.