>
    Strata Copilot
    Set Up Cloud Storage on AWS to Save Evidence
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. Save Evidence for Investigative Analysis with Enterprise DLP
    6. Set Up Cloud Storage on AWS to Save Evidence
    Download PDF
    Enterprise DLP

    Set Up Cloud Storage on AWS to Save Evidence

    Table of Contents

    Set Up Cloud Storage on AWS to Save Evidence

    Create an S3 storage bucket on AWS to store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically upload all files that match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP.
    To store your files scanned by Enterprise DLP, you must create an S3 storage bucket and Identity and Access Management (IAM) role that allows Enterprise DLP access to automatically store files. Enterprise DLP provides you with a JSON data containing the required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in-depth investigation.
    Enterprise DLP automatically sends email alerts to the data security administrator who originally connected Enterprise DLP to the S3 storage bucket and to the data security admin who last modified the storage bucket settings in case of connection issues. Enterprise DLP sends the email alert every 48 hours until you restore the connection between Enterprise DLP and the storage bucket.
    Files not scanned while Enterprise DLP is disconnected from your storage bucket can’t be stored and are lost. This means that all impacted files are not available for download. However, your data security administrator can still view all snippet data associated with the DLP incident.
    Enterprise DLP automatically resumes forwarding files to your storage bucket after you restore the connection.

    Set up Evidence Storage on Strata Cloud Manager Using AWS

    Create an S3 storage bucket on AWS to store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
    1. Review the setup prerequisites for Enterprise DLP and enable the required ports, fully qualified domain names (FQDN), and IP addresses on your network.
    2. Create a public S3 storage bucket to store files scanned by Enterprise DLP.
      1. Log in to the Amazon AWS console.
      2. Select ServicesStorageS3Buckets and click Create bucket.
      3. Enter a descriptive Bucket name.
      4. Select the AWS Region for the S3 storage bucket.
      5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the Encryption key type.
      6. Click Create bucket.
      7. Obtain the ARN for the S3 storage bucket.
        After creating the S3 storage bucket, you're redirected back to the Buckets page. Search for and click the storage bucket you created.
        Click Properties. The storage bucket ARN is displayed in the Bucket overview.
    3. Obtain the trust relationship and access policy JSONs from Strata Cloud Manager.
      You need these JSONs to create the IAM role that allows Enterprise DLP to write to your S3 storage bucket.
      1. Log in to Strata Cloud Manager.
        Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges.
      2. Select ConfigurationData Loss PreventionSettingsSensitive Data and navigate to Evidence Storage.
      3. Select the enforcement points for which you want to enable Evidence Storage for.
        You can enable evidence storage for Prisma Browser, Prisma Access, and Endpoint DLP.
      4. Configure Regional BucketAWS.
      5. In Instructions - AWS, copy the trust relationship JSON and the access policy JSON.
        The first JSON is the trust relationship and the second is the access policy. You use these JSONs in the next step to create the IAM role for the S3 storage bucket.
        Leave this browser tab open. You return here after creating the IAM role to complete the evidence storage configuration.
    4. Create the IAM role for the S3 storage bucket.
      This role allows Enterprise DLP to write evidence files to your S3 storage bucket.
      1. Log in to the Amazon AWS console.
      2. Select ServicesSecurity, Identity, and ComplianceIAMAccess managementRoles and click Create role.
      3. For the Trusted entity type, select Custom trust policy.
      4. Paste the trust relationship JSON you copied from Strata Cloud Manager into the Custom trust policy editor.
      5. Click Next.
      6. In Add permissions, select Create policyJSON.
        A new browser window opens for the policy editor.
      7. Paste the access policy JSON you copied from Strata Cloud Manager into the Policy editor.
      8. Replace all instances of bucket_name_to_be_replaced in the JSON with the S3 storage bucket ARN you obtained earlier.
      9. Click Next.
      10. Enter a Policy name and click Create policy.
      11. Return to the browser window where you're creating the IAM role.
      12. Search for and select the access policy you created.
      13. Click Next.
      14. Enter a descriptive Role name for the IAM role.
      15. Review the IAM role trust relationship and access policy.
      16. Click Create role.
    5. Configure the evidence storage connection on Strata Cloud Manager.
      Return to the Strata Cloud Manager browser tab you left open and complete the evidence storage configuration wizard.
      1. Select the Region(s) from which you want to forward evidence files to the storage bucket.
        You can associate S3 buckets in different AWS regions with your DLP regions. When DLP incidents are generated in the regions you select here, Enterprise DLP forwards the incident evidence to the storage bucket.
      2. Review the Instructions - AWS and click Next.
      3. In Input Bucket Details, enter the S3 Bucket Name of the bucket you created.
        The name you enter here must match the name of the S3 storage bucket on AWS.
      4. Enter the Role ARN for the IAM role you created.
        The IAM Role ARN is displayed in the Summary of the IAM role Permissions on the Amazon AWS console.
      5. Select the AWS Region where the bucket is located.
        This region corresponds to where you deployed your AWS storage bucket, not the DLP region where incidents are generated.
      6. Click Connect to connect Enterprise DLP to your S3 storage bucket.
      7. Review the Connection Status to verify Enterprise DLP successfully connected to your S3 storage bucket.
        As part of the setup process, Enterprise DLP uploads a Palo_Alto_Networks_DLP_Connection_Test.txt file to your S3 storage bucket to test and verify connectivity.
        Save the storage bucket settings if Enterprise DLP successfully connected.
        Select Previous and edit the bucket connection settings if Enterprise DLP can't connect to your S3 storage bucket.
    6. (Email DLP only) Select ConfigurationSaaS SecuritySettingsEmail DLP Settings and enable Evidence Storage for Email DLP.
      Enterprise DLP won't forward evidence files for Email DLP traffic matches unless you enable this setting.
    7. Enable Sensitive Files for your enforcement points.
      You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.
    8. Download Files for Evidence Analysis.

    Set up Evidence Storage on Strata Cloud Manager Using AWS KMS

    Create an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles on Strata Cloud Manager.
    1. Review the setup prerequisites for Enterprise DLP and enable the required ports, fully qualified domain names (FQDN), and IP addresses on your network.
    2. Create an S3 storage bucket with AWS KMS encryption to store files scanned by Enterprise DLP.
      1. Log in to the Amazon AWS console.
      2. Select ServicesStorageS3Buckets and click Create bucket.
      3. Enter a descriptive Bucket name.
      4. Select the AWS Region for the S3 storage bucket.
      5. In the Default encryption section, select AWS Key Management Service (SSE-KMS) as the Encryption key type.
      6. To specify the AWS KMS key, choose Choose from your AWS KMS keys or Enter AWS key ARN.
        You can click Create a KMS Key if one doesn't already exist. Refer to AWS Documentation for details on creating a new KMS key.
      7. Click Create bucket.
      8. Obtain the ARN for the S3 storage bucket.
        After creating the S3 storage bucket, you're redirected back to the Buckets page. Search for and click the storage bucket you created.
        Click Properties. The storage bucket ARN is displayed in the Bucket overview.
    3. Obtain the trust relationship and access policy JSONs from Strata Cloud Manager.
      You need these JSONs to create the IAM role that allows Enterprise DLP to write to your S3 storage bucket.
      1. Log in to Strata Cloud Manager.
        Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges.
      2. Select ConfigurationData Loss PreventionSettingsSensitive Data and navigate to Evidence Storage.
      3. Select the enforcement points for which you want to enable Evidence Storage for.
        You can enable evidence storage for Prisma Browser, Prisma Access, and Endpoint DLP.
      4. Select Configure Regional BucketAWS.
      5. Enable KMS Enabled to use an S3 storage bucket with AWS KMS encryption.
      6. In Instructions - AWS, copy the trust relationship JSON and the access policy JSON.
        The first JSON is the trust relationship and the second is the access policy. You use these JSONs in the next step to create the IAM role for the S3 storage bucket.
        Leave this browser tab open. You return here after creating the IAM role to complete the evidence storage configuration.
    4. Create the IAM role for the S3 storage bucket.
      This role allows Enterprise DLP to write evidence files to your S3 storage bucket.
      1. Log in to the Amazon AWS console.
      2. Select ServicesSecurity, Identity, and ComplianceIAMAccess managementRoles and click Create role.
      3. For the Trusted entity type, select Custom trust policy.
      4. Paste the trust relationship JSON you copied from Strata Cloud Manager into the Custom trust policy editor.
      5. Click Next.
      6. In Add permissions, select Create policyJSON.
        A new browser window opens for the policy editor.
      7. Paste the access policy JSON you copied from Strata Cloud Manager into the Policy editor.
      8. Replace all instances of bucket_name_to_be_replaced in the JSON with the S3 storage bucket ARN you obtained earlier.
      9. Add the AWS KMS key ARN.
        The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
      10. Click Next.
      11. Enter a Policy name and click Create policy.
      12. Return to the browser window where you're creating the IAM role.
      13. Search for and select the access policy you created.
      14. Click Next.
      15. Enter a descriptive Role name for the IAM role.
      16. Review the IAM role trust relationship and access policy.
      17. Click Create role.
    5. Configure the evidence storage connection on Strata Cloud Manager.
      Return to the Strata Cloud Manager browser tab you left open and complete the evidence storage configuration wizard.
      1. Select the Region(s) from which you want to forward evidence files to the storage bucket.
        You can associate S3 buckets in different AWS regions with your DLP regions. When DLP incidents are generated in the regions you select here, Enterprise DLP forwards the incident evidence to the storage bucket.
      2. Review the Instructions - AWS and click Next.
      3. In Input Bucket Details, enter the S3 Bucket Name of the bucket you created.
        The name you enter here must match the name of the S3 storage bucket on AWS.
      4. Enter the Role ARN for the IAM role you created.
        The IAM Role ARN is displayed in the Summary of the IAM role Permissions on the Amazon AWS console.
      5. Select the AWS Region where the bucket is located.
        This region corresponds to where you deployed your AWS storage bucket, not the DLP region where incidents are generated.
      6. Click Connect to connect Enterprise DLP to your S3 storage bucket.
      7. Review the Connection Status to verify Enterprise DLP successfully connected to your S3 storage bucket.
        As part of the setup process, Enterprise DLP uploads a Palo_Alto_Networks_DLP_Connection_Test.txt file to your S3 storage bucket to test and verify connectivity.
        Save the storage bucket settings if Enterprise DLP successfully connected.
        Select Previous and edit the bucket connection settings if Enterprise DLP can't connect to your S3 storage bucket.
    6. (Email DLP only) Select ConfigurationSaaS SecuritySettingsEmail DLP Settings and enable Evidence Storage for Email DLP.
      Enterprise DLP won't forward evidence files for Email DLP traffic matches unless you enable this setting.
    7. Enable Sensitive Files for your enforcement points.
      You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.
    8. Download Files for Evidence Analysis.

    © 2026 Palo Alto Networks, Inc. All rights reserved.