Enterprise DLP
Set Up Cloud Storage on AWS to Save Evidence
Table of Contents
Set Up Cloud Storage on AWS to Save Evidence
Create an S3 storage bucket on AWS to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles.Where Can I Use This? | What Do I Need? |
---|---|
|
|
Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically
upload all files that match an
Enterprise Data Loss Prevention (E-DLP)
data profile for Enterprise DLP
. To store your files scanned by the DLP cloud service, you must create an S3 storage
bucket and Identity and Access Management (IAM) role that allows the DLP cloud
service access to automatically store files. Palo Alto Networks provides you with a
JSON data containing the required policy permissions to create the IAM role. Files
uploaded to your S3 storage bucket are automatically named using a unique Report ID
for each file. The Report ID is used to search and download specific files for more
in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or
change in settings on the bucket, an email is automatically generated and sent to
the admin that originally connected
Enterprise DLP
to the storage bucket and to
the user who last modified the storage bucket connection settings. This email is
sent out every 48 hours until the connection is restored.Files that are scanned by the DLP cloud service while
Enterprise DLP
is
disconnected from your storage bucket can't be stored and are lost. This means
that all impacted files are not available for download. However, all snippet
data is preserved and can still be viewed.File storage automatically resumes after the connection status is restored.
Strata Cloud Manager
Strata Cloud Manager
Create an S3 storage bucket on AWS to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles.- Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- Create a public S3 storage bucket to store files scanned by theEnterprise DLPcloud service.
- SelectandServicesStorageS3BucketsCreate bucket.
- Enter a descriptiveBucket name.
- Select theAWS Regionfor the S3 storage bucket.
- In theDefault encryptionsection, selectAmazon S3 managed keys (SSE-S3)as theEncryption key type.You canCreate a KMS Keyif one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
- Create bucket.
- Obtain the ARN for the S3 storage bucket.After creating the S3 storage bucket, you're redirected back to theBucketspage. Search for and click the storage bucket you created.ClickProperties. The storage bucket ARN is displayed in theBucket overview.
- Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
- Log in toStrata Cloud Manager.
- Select.ManageConfigurationData Loss PreventionSettingsSensitive Data
- InEvidence Storage, selectas the Public Storage Bucket.Configure BucketAWS
- InInstructions - AWS, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.Leave theConfigure Bucket for Evidence Storagedisplay open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
- Create the IAM role for the S3 storage bucket.This role is required to allow the DLP cloud service to write to the S3 storage bucket.
- SelectandServicesSecurity, Identity, and ComplianceIAMAccess managementRolesCreate role.
- SelectCustom trust policy.
- For theTrusted entity type, selectCustom trust policy.
- Return toStrata Cloud Managerand copy the trust relationship JSON.
- In the Amazon AWS console, paste the trust relationship JSON into theCustom trust policyto configure the trust policy.
- ClickNext.
- InAdd permissions, select.Create policyJSONA new window is automatically opened in your browser to create the new access policy.
- Return toStrata Cloud Managerand copy the access policy JSON.
- In the Amazon AWS console, paste the access policy JSON into thePolicy editor.
- Add the bucket ARN for the S3 storage bucket you created.Throughout the JSON, you must replace all instances ofbucket_name_to_be_replacedwith the S3 storage bucket ARN you created.
- ClickNext.
- Enter aPolicy nameandCreate policy.
- Return to the browser window where you're creating the IAM role,
- Search for and select the access policy you created.
- ClickNext.
- Enter a descriptiveRole namefor the IAM role.
- Review the IAM role trust relationship and access policy.
- Create role.
- Configure the S3 storage bucket for evidence file storage.
- Log in toStrata Cloud Manager.Access to evidence storage settings and files onStrata Cloud Manageris allowed only for an account administrator or app administrator role withEnterprise DLPread and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- SelectInput Bucket Details.
- Enter theS3 Bucket Nameof the bucket you created.The name you enter in theStrata Cloud Managermust match the name of the S3 storage bucket on AWS.
- Enter theRole ARNfor the IAM role you created.The IAM Role ARN can be found in the IAM rolePermissions. The role ARN is displayed in theSummary.
- Select the AWSRegionwhere the bucket is located.
- SelectConnectto verify the connections status your S3 storage bucket.SelectSaveifEnterprise DLPcan successfully connect your bucket. APalo_Alto_Networks_DLP_Connection_Test.txtfile is uploaded to your storage bucket by the DLP cloud service to verify connectivity.IfEnterprise DLPcan't successfully connect your bucket, selectPreviousand edit the bucket connection settings.
- In theEvidence Storagesettings, enableSensitive Filesto enable storage of sensitive files in the S3 storage bucket.
Strata Cloud Manager Using AWS KMS
Strata Cloud Manager
Using AWS KMSCreate an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to
store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles on Strata Cloud Manager
.- Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- Create a public S3 storage bucket to store files scanned by theEnterprise DLPcloud service.
- SelectandServicesStorageS3BucketsCreate bucket.
- Enter a descriptiveBucket name.
- Select theAWS Regionfor the S3 storage bucket.
- In theDefault encryptionsection, selectAWS Key Management Service (SSE-KMS)as theEncryption key type.
- To specify theAWS KMS key, you canChoose from your AWS KMS keysor you canEnter AWS key ARN.You canCreate a KMS Keyif one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
- Create bucket.
- Obtain the ARN for the S3 storage bucket.After creating the S3 storage bucket, you're redirected back to theBucketspage. Search for and click the storage bucket you created.ClickProperties. The storage bucket ARN is displayed in theBucket overview.
- Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
- Log in toStrata Cloud Manager.
- Select.ManageConfigurationData Loss PreventionSettingsSensitive Data
- InEvidence Storage, selectas the Public Storage Bucket.Configure BucketAWS
- ToggleKMS Enabledenable an S3 storage bucket using AWS KMS.
- InInstructions - AWS, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.Leave theConfigure Bucket for Evidence Storagedisplay open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
- Create the IAM role for the S3 storage bucket.This role is required to allow the DLP cloud service to write to the S3 storage bucket.
- SelectandServicesSecurity, Identity, and ComplianceIAMAccess managementRolesCreate role.
- SelectCustom trust policy.
- For theTrusted entity type, selectCustom trust policy.
- Return toStrata Cloud Managerand copy the trust relationship JSON.
- In the Amazon AWS console, paste the trust relationship JSON into theCustom trust policyto configure the trust policy.
- ClickNext.
- InAdd permissions, select.Create policyJSONA new window is automatically opened in your browser to create the new access policy.
- Return toStrata Cloud Managerand copy the access policy JSON.
- In the Amazon AWS console, paste the access policy JSON into thePolicy editor.
- Add the bucket ARN for the S3 storage bucket you created.Throughout the JSON, you must replace all instances ofbucket_name_to_be_replacedwith the S3 storage bucket ARN you created.
- Add the AWS KMS key ARN.The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
- ClickNext.
- Enter aPolicy nameandCreate policy.
- Return to the browser window where you're creating the IAM role,
- Search for and select the access policy you created.
- ClickNext.
- Enter a descriptiveRole namefor the IAM role.
- Review the IAM role trust relationship and access policy.
- Create role.
- Configure the S3 storage bucket for evidence file storage.
- Log in toStrata Cloud Manager.Access to evidence storage settings and files onStrata Cloud Manageris allowed only for an account administrator or app administrator role withEnterprise DLPread and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- SelectInput Bucket Details.
- Enter theS3 Bucket Nameof the bucket you created.The name you enter inStrata Cloud Managermust match the name of the S3 storage bucket on AWS.
- Enter theRole ARNfor the IAM role you created.The IAM Role ARN can be found in the IAM rolePermissions. The role ARN is displayed in theSummary.
- Select the AWSRegionwhere the bucket is located.
- SelectConnectto verify the connections status your S3 storage bucket.SelectSaveifEnterprise DLPcan successfully connect your bucket. APalo_Alto_Networks_DLP_Connection_Test.txtfile is uploaded to your storage bucket by the DLP cloud service to verify connectivity.IfEnterprise DLPcan't successfully connect your bucket, selectPreviousand edit the bucket connection settings.
- In theEvidence Storagesettings, enableSensitive Filesto enable storage of sensitive files in the S3 storage bucket.
Panorama
Panorama
Create an S3 storage bucket on AWS to store files that match
Enterprise Data Loss Prevention (E-DLP)
data profiles.- Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- Create a public S3 storage bucket to store files scanned by theEnterprise DLPcloud service.
- SelectandServicesStorageS3BucketsCreate bucket.
- Enter a descriptiveBucket name.
- Select theAWS Regionfor the S3 storage bucket.
- In theDefault encryptionsection, selectAmazon S3 managed keys (SSE-S3)as theEncryption key type.You canCreate a KMS Keyif one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
- Create bucket.
- Obtain the ARN for the S3 storage bucket.After creating the S3 storage bucket, you're redirected back to theBucketspage. Search for and click the storage bucket you created.ClickProperties. The storage bucket ARN is displayed in theBucket overview.
- Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
- Log in to the DLP app on the hub.
- Select.SettingsSensitive Data
- InEvidence Storage, selectas the Public Cloud Storage Bucket.Configure BucketAWS
- InInstructions - AWS, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.Leave theConfigure Bucket for Evidence Storagedisplay open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
- Create the IAM role for the S3 storage bucket.This role is required to allow the DLP cloud service to write to the S3 storage bucket.
- SelectandServicesSecurity, Identity, and ComplianceIAMAccess managementRolesCreate role.
- SelectCustom trust policy.
- For theTrusted entity type, selectCustom trust policy.
- Return to the Cloud Management Console and copy the trust relationship JSON.
- In the Amazon AWS console, paste the trust relationship JSON into theCustom trust policyto configure the trust policy.
- ClickNext.
- InAdd permissions, select.Create policyJSONA new window is automatically opened in your browser to create the new access policy.
- Return to the Cloud Management Console and copy the access policy JSON.
- In the Amazon AWS console, paste the access policy JSON into thePolicy editor.
- Add the bucket ARN for the S3 storage bucket you created.Throughout the JSON, you must replace all instances ofbucket_name_to_be_replacedwith the S3 storage bucket ARN you created.
- ClickNext.
- Enter aPolicy nameandCreate policy.
- Return to the browser window where you're creating the IAM role,
- Search for and select the access policy you created.
- ClickNext.
- Enter a descriptiveRole namefor the IAM role.
- Review the IAM role trust relationship and access policy.
- Create role.
- Configure the S3 storage bucket for evidence file storage.
- Log in to the DLP app on the hub.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- SelectInput Bucket Details.
- Enter theS3 Bucket Nameof the bucket you created.The name you enter in the Cloud Management Console must match the name of the S3 storage bucket on AWS.
- Enter theRole ARNfor the IAM role you created.The IAM Role ARN can be found in the IAM rolePermissions. The role ARN is displayed in theSummary.
- Select the AWSRegionwhere the bucket is located.
- SelectConnectto verify the connections status your S3 storage bucket.SelectSaveifEnterprise DLPcan successfully connect your bucket. APalo_Alto_Networks_DLP_Connection_Test.txtfile is uploaded to your storage bucket by the DLP cloud service to verify connectivity.IfEnterprise DLPcan't successfully connect your bucket, selectPreviousand edit the bucket connection settings.
- In theEvidence Storagesettings, enableSensitive Filesto enable storage of sensitive files in the S3 storage bucket.
Panorama Using AWS KMS
Panorama
Using AWS KMSCreate an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to
store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles on the DLP app on the
hub.- Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
- Create a public S3 storage bucket to store files scanned by theEnterprise DLPcloud service.
- SelectandServicesStorageS3BucketsCreate bucket.
- Enter a descriptiveBucket name.
- Select theAWS Regionfor the S3 storage bucket.
- In theDefault encryptionsection, selectAWS Key Management Service (SSE-KMS)as theEncryption key type.
- To specify theAWS KMS key, you canChoose from your AWS KMS keysor you canEnter AWS key ARN.You canCreate a KMS Keyif one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
- Create bucket.
- Obtain the ARN for the S3 storage bucket.After creating the S3 storage bucket, you're redirected back to theBucketspage. Search for and click the storage bucket you created.ClickProperties. The storage bucket ARN is displayed in theBucket overview.
- Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
- Log in to the DLP app on the hub.
- Select.SettingsSensitive Data
- InEvidence Storage, selectas the Public Cloud Storage Bucket.Configure BucketAWS
- ToggleKMS Enabledenable an S3 storage bucket using AWS KMS.
- InInstructions - AWS, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.Leave theConfigure Bucket for Evidence Storagedisplay open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
- Create the IAM role for the S3 storage bucket.This role is required to allow the DLP cloud service to write to the S3 storage bucket.
- SelectandServicesSecurity, Identity, and ComplianceIAMAccess managementRolesCreate role.
- SelectCustom trust policy.
- For theTrusted entity type, selectCustom trust policy.
- Return to the Cloud Management Console and copy the trust relationship JSON.
- In the Amazon AWS console, paste the trust relationship JSON into theCustom trust policyto configure the trust policy.
- ClickNext.
- InAdd permissions, select.Create policyJSONA new window is automatically opened in your browser to create the new access policy.
- Return to the Cloud Management Console and copy the access policy JSON.
- In the Amazon AWS console, paste the access policy JSON into thePolicy editor.
- Add the bucket ARN for the S3 storage bucket you created.Throughout the JSON, you must replace all instances ofbucket_name_to_be_replacedwith the S3 storage bucket ARN you created.
- Add the AWS KMS key ARN.The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
- ClickNext.
- Enter aPolicy nameandCreate policy.
- Return to the browser window where you're creating the IAM role,
- Search for and select the access policy you created.
- ClickNext.
- Enter a descriptiveRole namefor the IAM role.
- Review the IAM role trust relationship and access policy.
- Create role.
- Configure the S3 storage bucket for evidence file storage.
- Log in to the DLP app on the hub.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- SelectInput Bucket Details.
- Enter theS3 Bucket Nameof the bucket you created.The name you enter in the Cloud Management Console must match the name of the S3 storage bucket on AWS.
- Enter theRole ARNfor the IAM role you created.The IAM Role ARN can be found in the IAM rolePermissions. The role ARN is displayed in theSummary.
- Select the AWSRegionwhere the bucket is located.
- SelectConnectto verify the connections status your S3 storage bucket.SelectSaveifEnterprise DLPcan successfully connect your bucket. APalo_Alto_Networks_DLP_Connection_Test.txtfile is uploaded to your storage bucket by the DLP cloud service to verify connectivity.IfEnterprise DLPcan't successfully connect your bucket, selectPreviousand edit the bucket connection settings.
- In theEvidence Storagesettings, enableSensitive Filesto enable storage of sensitive files in the S3 storage bucket.