Strata Cloud Manager

Using AWS KMS

Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
Create a public S3 storage bucket to store files scanned by the
Enterprise DLP
cloud service.
Log in to the Amazon AWS console.
Select
Services
Storage
S3
Buckets
and
Create bucket
.
Enter a descriptive
Bucket name
.
Select the
AWS Region
for the S3 storage bucket.
In the
Default encryption
section, select
AWS Key Management Service (SSE-KMS)
as the
Encryption key type
.
To specify the
AWS KMS key
, you can
Choose from your AWS KMS keys
or you can
Enter AWS key ARN
.
You can
Create a KMS Key
if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.

Create bucket
.
Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the
Buckets
page. Search for and click the storage bucket you created.
Click
Properties
. The storage bucket ARN is displayed in the
Bucket overview
.
Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
Log in to

Strata Cloud Manager

.

Select

Manage

Configuration

Data Loss Prevention

Settings

Sensitive Data

.

In

Evidence Storage

, select

Configure Bucket

AWS

as the Public Storage Bucket.

Toggle

KMS Enabled

enable an S3 storage bucket using AWS KMS.

In

Instructions - AWS

, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.

The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.

Leave the

Configure Bucket for Evidence Storage

display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.


Create the IAM role for the S3 storage bucket.
This role is required to allow the DLP cloud service to write to the S3 storage bucket.
Log in to the Amazon AWS console.
Select
Services
Security, Identity, and Compliance
IAM
Access management
Roles
and
Create role
.
Select
Custom trust policy
.
For the
Trusted entity type
, select
Custom trust policy
.
Return to
Strata Cloud Manager
and copy the trust relationship JSON.
In the Amazon AWS console, paste the trust relationship JSON into the
Custom trust policy
to configure the trust policy.

Click
Next
.
In
Add permissions
, select
Create policy
JSON
.
A new window is automatically opened in your browser to create the new access policy.
Return to
Strata Cloud Manager
and copy the access policy JSON.
In the Amazon AWS console, paste the access policy JSON into the
Policy editor
.
Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced
with the S3 storage bucket ARN you created.

Add the AWS KMS key ARN.
The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.

Click
Next
.
Enter a
Policy name
and
Create policy
.
Return to the browser window where you're creating the IAM role,
Search for and select the access policy you created.

Click
Next
.
Enter a descriptive
Role name
for the IAM role.
Review the IAM role trust relationship and access policy.
Create role
.
Configure the S3 storage bucket for evidence file storage.
Log in to

Strata Cloud Manager

.

Access to evidence storage settings and files on

Strata Cloud Manager

is allowed only for an account administrator or app administrator role with

Enterprise DLP

read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.

Select

Manage

Configuration

Security Services

Data Loss Prevention

Settings

Sensitive Data

and select

AWS

as the Public Cloud Storage Bucket.

Select

Input Bucket Details

.

Enter the

S3 Bucket Name

of the bucket you created.

The name you enter in

Strata Cloud Manager

must match the name of the S3 storage bucket on AWS.

Enter the

Role ARN

for the IAM role you created.

The IAM Role ARN can be found in the IAM role

Permissions

. The role ARN is displayed in the

Summary

.

Select the AWS

Region

where the bucket is located.



Select

Connect

to verify the connections status your S3 storage bucket.

Select

Save

if

Enterprise DLP

can successfully connect your bucket. A

Palo_Alto_Networks_DLP_Connection_Test.txt

file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.



If

Enterprise DLP

can't successfully connect your bucket, select

Previous

and edit the bucket connection settings.

In the

Evidence Storage

settings, enable

Sensitive Files

to enable storage of sensitive files in the S3 storage bucket.


Download Files for Evidence Analysis.