1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Monitor Enterprise DLP
    5. Save Evidence for Investigative Analysis with Enterprise DLP
    6. Set Up Cloud Storage to Save Evidence for Cloud Management
    7. Configure Cloud Storage on AWS for Cloud Management

    Configure Cloud Storage on AWS for Cloud Management

    Create an S3 bucket on AWS to store files that match your
    Enterprise data loss prevention (DLP)
     data profiles.
    Amazon Web Services (AWS) users can configure an S3 bucket to automatically upload all files that match an
    Enterprise data loss prevention (DLP)
     data profile for
    Enterprise DLP
     deployed on Cloud Management.
    To store your files scanned by the DLP cloud service, you must create an S3 bucket and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Palo Alto Networks provides you a JSON data containing the required policy permissions to create the IAM role. Files uploaded to your S3 bucket are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in depth investigation.
    In case of connection issues to your S3 bucket due to configuration error or change in settings on the bucket, an email is automatically generated and sent to the admin that originally connected
    Cloud Management
     to the storage bucket and to the user who last modified the storage bucket connection settings on
    Cloud Management
    . This email is sent out every 48 hours until the connection is restored.
    Files that are scanned by the DLP cloud service while
    Cloud Management
     is disconnected from your storage bucket cannot be stored and are lost. This means that all impacted files are not available for download. However, all snippet data is preserved and can still be viewed on
    Cloud Management
    .
    File storage automatically resumes after the connection status is restored.
    2. Create a public S3 storage bucket to store files scanned by the
      Enterprise DLP
       cloud service.
      1. Select
        Services
        Storage
        S3
        Buckets
         and
        Create bucket
        .
      2. Enter a descriptive
        Bucket name
        .
      3. Select the
        AWS Region
         for the S3 bucket.
      4. In the Default encryption section,
        Enable
         server-side encryption and select the default
        Amazon S3 key (SSE-S3)
        encryption key type.
        This is required to successfully associate the S3 bucket with the hub.
      5. Create bucket
        .
    3. Create the IAM role for the S3 bucket.
      This role is required to allow the DLP cloud service to write to the S3 bucket.
      1. Select
        Services
        Security, Identity, and Compliance
        IAM
        Access management
        Roles
         and
        Create role
        .
      2. For the type of trusted entity, select
        S3
         from the list displayed in the Choose a use case section.
      3. In the Select your use case section, select
        S3
        .
      4. Select
        Next: Permissions
        ,
        Next: Tags
         and
        Next: Review
        .
        The permissions policy to create the trust relationship is configured the following step.
      5. Enter a descriptive
        Role name
         for the IAM role.
      6. Create role
        .
    4. Configure the trust relationship for the IAM role.
      1. Obtain the trust relationship using JSON provided by Palo Alto Networks.
        2. Select
          Manage
          Configuration
          Security Services
          Data Loss Prevention
          Settings
          Sensitive Data
           and select
          AWS
           as the Public Cloud Storage Bucket.
        3. In the
          Instructions
          , copy the JSON provided to define the trust relationship between the IAM role and Palo Alto Networks.
      2. In AWS, select
        Services
        Security, Identity, and Compliance
        IAM
        Access management
        Roles
         and select the IAM role you created.
      3. Select
        Trust relationships
         and
        Edit trust relationship
        .
      4. Paste the trust relationship JSON you copied from
        Prisma Access (Cloud Management)
         to define the trust relationship between the IAM role and Palo Alto Networks.
      5. Update Trust Relationship
        .
    5. Create a policy to define the access policy and assign the policy to the IAM role you created.
      Palo Alto Networks provides you with a JSON containing the required access policy configuration that you can copy and paste.
      1. Obtain the access policy using JSON provided by Palo Alto Networks.
        1. Log in to the DLP app on the hub
        2. Select
          Manage
          Configuration
          Security Services
          Data Loss Prevention
          Settings
          Sensitive Data
           and select
          AWS
           as the Public Cloud Storage Bucket.
        3. In the
          Instructions
          , copy the JSON provided to define the access policy between the IAM role and Palo Alto Networks.
      2. In AWS, select
        Services
        Security, Identity, and Compliance
        IAM
        Access management
        Policies
         and
        Create policy
        .
      3. Select
        JSON
         and pasted the JSON provided by Palo Alto Networks.
        Throughout the JSON, you must delete all instances of
        bucket_name_to_be_replaced
         with the S3 bucket ARN you created.
        You can find the ARN of your S3 bucket by selecting
        Services
        Storage
        S3
        . Then select the S3 bucket and view the
        Properties
        .
      4. Select
        Next: Tags
         and
        Next: Review
      5. Enter a descriptive
        Name
         for the access policy and
        Create policy
        .
      6. Select
        Roles
         and select the IAM role you created.
      7. Select
        Permissions
        Attach policies
         to select the access policy you created and
        Attach policies
        .
    6. Configure the S3 bucket for evidence file storage.
      1. Access to evidence storage settings and files on
        Cloud Management
         is allowed only for an account administrator or app administrator role with
        Enterprise DLP
         read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
      2. Select
        Manage
        Configuration
        Security Services
        Data Loss Prevention
        Settings
        Sensitive Data
         and select
        AWS
         as the Public Cloud Storage Bucket.
      3. Input Bucket Details
        .
      4. Enter the
        S3 Bucket Name
         of the bucket you created.
      5. Enter the
        Role ARN
         for the IAM role you created.
      6. Select the AWS
        Region
         where the bucket is located.
      7. Select
        Next
         to verify the connections status your S3 bucket.
        Select
        Save
         if
        Cloud Management
         can successfully connect your bucket. A
        connectiontest
         file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
        If
        Cloud Management
         cannot successfully connect your bucket, select
        Previous
         and edit the bucket connection settings.
      8. In the Store Sensitive Files settings, enable storage of sensitive files for
        Cloud Management
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo