Focus

SaaS Security Administrator's Guide

Cross Account Scan Multiple Amazon S3 Accounts

Table of Contents

Cross Account Scan Multiple Amazon S3 Accounts

Learn how Data Security scans S3 buckets for multiple AWS accounts.

To enable scanning of S3 buckets across multiple AWS accounts, you must configure AWS IAM policy, user, and role on the primary account, and then configure users, roles, policies and CloudTrail trails for both the primary and secondary accounts before you can add the Amazon S3 app to Data Security. The account in which all CloudTrail is stored is referenced as the primary account. All other accounts are referenced as secondary accounts.

Configure CloudTrail logging on the primary account.
1. Log in to your AWS Console aws.amazon.com.
2. Select ServicesCloudTrailTrailsCreate Trail.
3. Enter the Trail name prisma-saas-s3-primary-trail.
4. Set Apply trail to all Regions to Yes.
5. In Data events, specify which S3 buckets in your primary account you want Data Security to scan:
  All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
  Individual buckets—Operates as an allow list and requires ongoing maintenance.
6. In the Storage location area, create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as prisma-saas-s3-<AWS account ID>.
  
  You can also use an existing bucket for the log storage location, if one exists.
Configure a user in the primary account that will access each of the secondary accounts.
1. Select ServicesIAM.
2. Select UsersAdd user.
3. Enter the user name as prisma-saas-s3-user.
4. Select Programmatic access to generate an access key ID and secret access key for Data Security to use to access the Amazon S3 service.
5. Select Next: Permissions.
6. Create a user policy.
  Select Attach existing policies directlyCreate Policy. A new window will open. You will attach this policy to the user account that authorizes Data Security to scan the Amazon S3 accounts.
  Click the JSON tab and copy and paste the following configuration into the Policy Document section:
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::333333333:role/prisma-saas-s3-cross-account-access-role" } ] }
  
  This policy document has three pseudo secondary accounts 222222222,111111111,333333333 referenced in it. You will need to edit the policy to reflect the account numbers of each of your secondary accounts.
7. Click Review Policy and enter the Policy Name as prisma-saas-s3-primary-policy and provide an optional description of the policy.
8. Click Create Policy.
9. Refresh the first window and select prisma-saas-s3-primary policy, and click NextReview and then Create User.
  
  Note the Access key ID and Secret access key for the user. You will need these numbers later in this setup.
10. Click Close.
Configure the CloudTrail bucket in the primary account to give CloudTrail service access to each secondary account prefix.
1. Log in to your AWS Console aws.amazon.com.
2. Select ServicesS3.
3. Select the CloudTrail S3 bucket you just created, for example prisma-saas-s3-[aws account id].
4. Select PermissionsBucket Policy.
5. Verify that the bucket policy has a Statement to Allow Action S3:PutObject for the primary account prefix, for example, “Resource”: “arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*”,
6. Modify this resource entry to add the account prefix for each secondary account, similar to the following:
  "Resource": [ "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/111111111/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/222222222/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/333333333/*" ],
7. Save the resource modification.
Configure a role and an associated policy on each secondary account.
1. Log in to your AWS Console aws.amazon.com.
2. Configure an IAM role by selecting IAMRolesCreate Role.
3. Select Another AWS Account Type as type of trusted entity.
4. Enter the AWS account number of your primary account in Specify accounts that can use this role. Leave the other Options unchecked and select Next: Permissions.
5. Click Create Policy and a new window will open.
6. Click the JSON tab and copy and paste the following configuration into the Policy Document section:
  { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ] }
7. Click Review Policy and enter the Policy Name as prisma-saas-s3-secondary-policy and provide an optional description of the policy.
8. Click Create Policy.
9. Refresh the policy window and select prisma-saas-S3-secondary-policy.
10. Select Next: Review and enter the role name prisma-saas-s3-cross-account-access-role.
11. Create the role by entering in Role name. Before creating the role, verify the following:
  Trusted entities contain the primary account number.
  prisma-saas-s3-secondary-policy displays in Policies.
  When verification is complete, click Create Role.
12. Select the role just created and copy the role ARN into memory (for example arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role). You will need the role ARN later in this procedure.
Configure CloudTrail on each secondary account to associate with the primary account.
1. Select ServicesCloudTrailTrailsCreate trail.
2. Enter the Trail name prisma-saas-s3-secondary-trail.
3. Set Apply trail to all Regions to Yes.
4. In Data events, specify which S3 buckets in your secondary account you want Data Security to scan:
  All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
  Individual buckets—Operates as an allow list and requires ongoing maintenance.
5. To configure a bucket in which CloudTrail will store management and data event logs for this account, enter the bucket name of the CloudTrail bucket in the primary account, for example prisma-saas-s3-<AWS account ID> in the Storage location area and click Create.
Next Step: Add the Amazon S3 App.

Scan a Single Amazon S3 Account

Add the Amazon S3 App