Configure Cloud Storage on AWS for Prisma Access (Cloud Managed)
Create an S3 bucket on Amazon Web Services (AWS) to store files that match your
Enterprise Data Loss Prevention (DLP) data filtering profiles for Prisma Access (Cloud
Managed).
Amazon Web Services (AWS) users can configure an S3 bucket to automatically upload
all files that match an Enterprise data loss prevention (DLP) data profile for
Enterprise DLP deployed on Prisma Access (Cloud Managed).
To store your files scanned by the DLP cloud service, you must create an S3 bucket
and Identity and Access Management (IAM) role that allows the DLP cloud service
access to automatically store files. Palo Alto Networks provides you a JSON data
containing the required policy permissions to create the IAM role. Files uploaded to
your S3 bucket are automatically named using a unique Report ID for each file. The
Report ID is used to search and download specific files for more in depth
investigation.
In case of connection issues to your S3 bucket due to configuration error or change
in settings on the bucket, an email is automatically generated and sent to the admin
that originally connected the Prisma Access (Cloud Managed) to the storage bucket
and to the user who last modified the storage bucket connection settings on Prisma
Access (Cloud Managed). This email is sent out every 48 hours until the connection
is restored.
Files that are scanned by the DLP cloud service while Prisma Access (Cloud
Managed) is disconnected from your storage bucket cannot be stored and are lost.
This means that all impacted files are not available for download. However, all
snippet data is preserved and can still be viewed on Prisma Access (Cloud
Managed).
File storage automatically resumes after the connection status is restored.
- Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
- SelectandServicesStorageS3BucketsCreate bucket.
- Enter a descriptiveBucket name.
- Select theAWS Regionfor the S3 bucket.
- In the Default encryption section,Enableserver-side encryption and select your preferred encryption key type.This is required to successfully associate the S3 bucket with the hub.
- Create bucket.
- Create the IAM role for the S3 bucket.This role is required to allow the DLP cloud service to write to the S3 bucket.
- SelectandServicesSecurity, Identity, and ComplianceIAMAccess managementRolesCreate role.
- For the type of trusted entity, selectS3from the list displayed in the Choose a use case section.
- In the Select your use case section, selectS3.
- SelectNext: Permissions,Next: TagsandNext: Review.The permissions policy to create the trust relationship is configured the following step.
- Enter a descriptiveRole namefor the IAM role.
- Create role.
- Configure the trust relationship for the IAM role.
- Obtain the trust relationship using JSON provided by Palo Alto Networks.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- In theInstructions, copy the JSON provided to define the trust relationship between the IAM role and Palo Alto Networks.
- In AWS, selectand select the IAM role you created.ServicesSecurity, Identity, and ComplianceIAMAccess managementRoles
- SelectTrust relationshipsandEdit trust relationship.
- Paste the trust relationship JSON you copied from Prisma Access (Cloud Managed) to define the trust relationship between the IAM role and Palo Alto Networks.
- Update Trust Relationship.
- Create a policy to define the access policy and assign the policy to the IAM role you created.Palo Alto Networks provides you with a JSON containing the required access policy configuration that you can copy and paste.
- Obtain the access policy using JSON provided by Palo Alto Networks.
- Log in to the DLP app on the hub
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- In theInstructions, copy the JSON provided to define the access policy between the IAM role and Palo Alto Networks.
- In AWS, selectandServicesSecurity, Identity, and ComplianceIAMAccess managementPoliciesCreate policy.
- SelectJSONand pasted the JSON provided by Palo Alto Networks.Throughout the JSON, you must delete all instances ofbucket_name_to_be_replacedwith the S3 bucket ARN you created.You can find the ARN of your S3 bucket by selecting. Then select the S3 bucket and view theServicesStorageS3Properties.
- SelectNext: TagsandNext: Review
- Enter a descriptiveNamefor the access policy andCreate policy.
- SelectRolesand select the IAM role you created.
- Selectto select the access policy you created andPermissionsAttach policiesAttach policies.
- Configure the S3 bucket for evidence file storage.
- Access to evidence storage settings and files on Prisma Access (Cloud Managed) is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
- Selectand selectManageConfigurationSecurity ServicesData Loss PreventionSettingsSensitive DataAWSas the Public Cloud Storage Bucket.
- Input Bucket Details.
- Enter theS3 Bucket Nameof the bucket you created.
- Enter theRole ARNfor the IAM role you created.
- Select the AWSRegionwhere the bucket is located.
- SelectNextto verify the connections status your S3 bucket.SelectSaveif Prisma Access (Cloud Managed) can successfully connect your bucket. Aconnectiontestfile is uploaded to your storage bucket by the DLP cloud service to verify connectivity.If Prisma Access (Cloud Managed) cannot successfully connect your bucket, selectPreviousand edit the bucket connection settings.
- In the Store Sensitive Files settings, enable storage of sensitive files for Prisma Access (Cloud Managed).
Recommended For You
Recommended Videos
Recommended videos not found.