Enterprise DLP
Set up Evidence Storage on Strata Cloud Manager Using AWS
Table of Contents
Set up Evidence Storage on Strata Cloud Manager Using AWS
Create an S3 storage bucket on AWS to store files that match your Enterprise Data Loss Prevention (E-DLP) data profiles.
- Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
- Log in to the Amazon AWS console.Select ServicesStorageS3Buckets and Create bucket.Enter a descriptive Bucket name.Select the AWS Region for the S3 storage bucket.In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the Encryption key type.You can Create a KMS Key if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.Create bucket.Obtain the ARN for the S3 storage bucket.After creating the S3 storage bucket, you're redirected back to the Buckets page. Search for and click the storage bucket you created.Click Properties. The storage bucket ARN is displayed in the Bucket overview.Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
- Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionSettingsSensitive Data.In Evidence Storage, select Configure BucketAWS as the Public Storage Bucket.In Instructions - AWS, locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.Leave the Configure Bucket for Evidence Storage display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.Create the IAM role for the S3 storage bucket.This role is required to allow the DLP cloud service to write to the S3 storage bucket.
- Log in to the Amazon AWS console.Select ServicesSecurity, Identity, and ComplianceIAMAccess managementRoles and Create role.Select Custom trust policy.For the Trusted entity type, select Custom trust policy.Return to Strata Cloud Manager and copy the trust relationship JSON.In the Amazon AWS console, paste the trust relationship JSON into the Custom trust policy to configure the trust policy.Click Next.In Add permissions, select Create policyJSON.A new window is automatically opened in your browser to create the new access policy.Return to Strata Cloud Manager and copy the access policy JSON.In the Amazon AWS console, paste the access policy JSON into the Policy editor.Add the bucket ARN for the S3 storage bucket you created.Throughout the JSON, you must replace all instances of bucket_name_to_be_replaced with the S3 storage bucket ARN you created.Click Next.Enter a Policy name and Create policy.Return to the browser window where you're creating the IAM role,Search for and select the access policy you created.Click Next.Enter a descriptive Role name for the IAM role.Review the IAM role trust relationship and access policy.Create role.Configure the S3 storage bucket for evidence file storage.
- Log in to Strata Cloud Manager.Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.Select ManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive Data and select AWS as the Public Cloud Storage Bucket.Select Input Bucket Details.Enter the S3 Bucket Name of the bucket you created.The name you enter in the Strata Cloud Manager must match the name of the S3 storage bucket on AWS.Enter the Role ARN for the IAM role you created.The IAM Role ARN can be found in the IAM role Permissions. The role ARN is displayed in the Summary.Select the AWS Region where the bucket is located.Select Connect to verify the connections status your S3 storage bucket.Select Save if Enterprise DLP can successfully connect your bucket. A Palo_Alto_Networks_DLP_Connection_Test.txt file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.If Enterprise DLP can't successfully connect your bucket, select Previous and edit the bucket connection settings.Enable Sensitive Files for your enforcement points.You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.