Scan a Single Amazon S3 Account

Before you can scan an Amazon S3 app, you must configure AWS IAM policy, user, role, and optionally an S3 bucket in which CloudTrail will log events that occur in your Amazon S3 buckets.
To configure the Amazon S3 app to scan a single AWS account:
  1. Log in to your AWS Console aws.amazon.com.
  2. Select ServicesSecurity, Identity & ComplianceIAM.
  3. Configure the Aperture policy. The aperture service will use this policy to connect to the Amazon S3 app.
    1. Select PoliciesCreate policy and then select Create Your Own Policy.
    2. Enter the Policy Name as aperture-s3-policy and provide an optional description of the policy.
    3. Copy and paste the following configuration into the Policy Document section:
      	{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:Get*",
                      "s3:List*",
                      "s3:Put*",
                      "s3:Delete*",
                      "s3:CreateBucket",
                      "iam:GetUser",
                      "iam:GetRole",
                      "iam:GetUserPolicy",
                      "iam:ListUsers",
                      "cloudtrail:GetTrailStatus",
                      "cloudtrail:DescribeTrails",
                      "cloudtrail:LookupEvents",
                      "cloudtrail:ListTags",
                      "cloudtrail:ListPublicKeys",
                      "cloudtrail:GetEventSelectors",
                      "ec2:DescribeVpcEndpoints",
                      "ec2:DescribeVpcs",
                      "config:Get*",
                      "config:Describe*",
                      "config:Deliver*",
                      "config:List*"
                  ],
                  "Resource": "*"
              }
          ]
      }
    4. Click Create Policy.
  4. Configure the account Aperture will use to access the Amazon S3 logs:
    1. Select UsersAdd user.
    2. Enter the user name as aperture-s3-user.
    3. To generate an access key ID and secret access key for Aperture to use to access the Amazon S3 service, enable Programmatic access.
    4. Select Next: Permissions.
    5. Select Attach existing policies directly.
    6. Search for and select the check box next to the aperture-s3-policy you created in the previous step.
    7. Click Next: ReviewCreate User.
      amazon-aws-create-user.png
      Note your Access key ID and Secret access key.
    8. Click Close.
  5. If you have not already done so, configure CloudTrail logging. This enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
    1. To copy your AWS account ID into memory, click your username at the top right and copy the Account number. You will need your account number later in this procedure.
    2. Select ServicesManagement ToolsCloudTrailTrailsAdd new trail.
    3. Enter the Trail name aperture-s3-trail.
    4. Set Apply trail to all Regions to Yes.
    5. In the Data events area, enter the name of each bucket that you want Aperture to scan. You can also choose Select all S3 buckets in your account to enable Aperture to scan all of your S3 buckets. The interface offers auto-completion as you type. Repeat the process to select additional buckets.
    6. To create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as aperture-s3-<AWS account ID> in the Storage location area.
      amazon-aws-trail-summary.png
      Take note of the S3 bucket (CloudTrail bucket name) and region.
    7. Click Create.
  6. You can now Add the Amazon S3 App to Aperture.

Related Documentation