SaaS Security Administrator's Guide
    : Scan a Single Amazon S3 Account
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Add Cloud Apps to Data Security
    7. Begin Scanning an Amazon S3 App
    8. Scan a Single Amazon S3 Account
    Download PDF

    SaaS Security Administrator's Guide

    Scan a Single Amazon S3 Account

    Table of Contents

    Scan a Single Amazon S3 Account

    Learn how Data Security scans S3 buckets for a single AWS account.
    To enable scanning of S3 buckets for a single AWS account, you must configure AWS IAM policy, user, role, and CloudTrail logging before you can add the Amazon S3 app to Data Security. Alternatively, you can Cross Account Scan Multiple Amazon S3 Accounts.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select ServicesSecurity, Identity & ComplianceIAM.
    3. Configure the Data Security policy used to connect to the Amazon S3 app.
      1. Select PoliciesCreate policy and then select Create Your Own Policy.
      2. Enter the Policy Name as prisma-saas-s3-policy and provide an optional description of the policy.
      3. Copy and paste the following configuration into the Policy Document section:
        {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "s3:Get*",        "s3:List*",        "s3:Put*",        "s3:Delete*",        "s3:CreateBucket",        "iam:GetUser",        "iam:GetRole",        "iam:GetUserPolicy",        "iam:ListUsers",        "cloudtrail:GetTrailStatus",        "cloudtrail:DescribeTrails",        "cloudtrail:LookupEvents",        "cloudtrail:ListTags",        "cloudtrail:ListPublicKeys",        "cloudtrail:GetEventSelectors",        "ec2:DescribeVpcEndpoints",        "ec2:DescribeVpcs",        "config:Get*",        "config:Describe*",        "config:Deliver*",        "config:List*"      ],      "Resource": "*"    }  ]}
      4. Click Create Policy.
    4. Configure the account that Data Security will use to access the Amazon S3 logs:
      1. Select UsersAdd user.
      2. Enter the user name as prisma-saas-s3-user.
      3. To generate an access key ID and secret access key for Data Security to use to access the Amazon S3 service, enable Programmatic access.
      4. Select Next: Permissions.
      5. Select Attach existing policies directly.
      6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
      7. Click Next: ReviewCreate User.
        Note your Access key ID and Secret access key.
      8. Click Close.
    5. Configure CloudTrail logging, if you have not already done so.
      CloudTrail logging enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
      1. Copy your AWS account ID into memory by clicking on your username at the top right and copy the account number.
        You will need your account number later in this procedure.
      2. Select ServicesManagement ToolsCloudTrailTrailsAdd new trail.
      3. Enter the Trail name prisma-saas-s3-trail.
      4. Set Apply trail to all Regions to Yes.
      5. In Data events, specify which S3 buckets you want Data Security to scan:
        • Individual buckets—Operates as an allow list and requires ongoing maintenance.
      6. To create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as prisma-saas-s3-<AWS account ID> in the Storage location area.
        Take note of the S3 bucket (CloudTrail bucket name) and region.
      7. Click Create.
    6. Next Step: Proceed to Add Cloud Apps to Data Security.

    © 2024 Palo Alto Networks, Inc. All rights reserved.