Set Up Cloud Storage on AWS to Save Evidence
Focus
Focus
Enterprise DLP

Set Up Cloud Storage on AWS to Save Evidence

Table of Contents

Set Up Cloud Storage on AWS to Save Evidence

Create an S3 storage bucket on AWS to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles.
Where Can I Use This?
What Do I Need?
  • Panorama
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license and any of the following:
    • Panorama
      —Support and device management licenses
    • Prisma Access (Cloud Management)
      Prisma Access
      license
    • SaaS Security
      SaaS Security
      license
    • NGFW (Cloud Managed)
      —Support and
      AIOps for NGFW Premium
      licenses
    Or
  • Any of the following licenses
    • Prisma Access
      CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
      license
    • Data Security
      license
Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically upload all files that match an
Enterprise Data Loss Prevention (E-DLP)
data profile for
Enterprise DLP
.
To store your files scanned by the DLP cloud service, you must create an S3 storage bucket and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Palo Alto Networks provides you with a JSON data containing the required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or change in settings on the bucket, an email is automatically generated and sent to the admin that originally connected
Enterprise DLP
to the storage bucket and to the user who last modified the storage bucket connection settings. This email is sent out every 48 hours until the connection is restored.
Files that are scanned by the DLP cloud service while
Enterprise DLP
is disconnected from your storage bucket can't be stored and are lost. This means that all impacted files are not available for download. However, all snippet data is preserved and can still be viewed.
File storage automatically resumes after the connection status is restored.

Strata Cloud Manager

Create an S3 storage bucket on AWS to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Create a public S3 storage bucket to store files scanned by the
    Enterprise DLP
    cloud service.
    1. Select
      Services
      Storage
      S3
      Buckets
      and
      Create bucket
      .
    2. Enter a descriptive
      Bucket name
      .
    3. Select the
      AWS Region
      for the S3 storage bucket.
    4. In the
      Default encryption
      section, select
      Amazon S3 managed keys (SSE-S3)
      as the
      Encryption key type
      .
      You can
      Create a KMS Key
      if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
    5. Create bucket
      .
    6. Obtain the ARN for the S3 storage bucket.
      After creating the S3 storage bucket, you're redirected back to the
      Buckets
      page. Search for and click the storage bucket you created.
      Click
      Properties
      . The storage bucket ARN is displayed in the
      Bucket overview
      .
  3. Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      .
    3. In
      Evidence Storage
      , select
      Configure Bucket
      AWS
      as the Public Storage Bucket.
    4. In
      Instructions - AWS
      , locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.
      The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.
      Leave the
      Configure Bucket for Evidence Storage
      display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
  4. Create the IAM role for the S3 storage bucket.
    This role is required to allow the DLP cloud service to write to the S3 storage bucket.
    1. Select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and
      Create role
      .
    2. Select
      Custom trust policy
      .
    3. For the
      Trusted entity type
      , select
      Custom trust policy
      .
    4. Return to
      Strata Cloud Manager
      and copy the trust relationship JSON.
    5. In the Amazon AWS console, paste the trust relationship JSON into the
      Custom trust policy
      to configure the trust policy.
    6. Click
      Next
      .
    7. In
      Add permissions
      , select
      Create policy
      JSON
      .
      A new window is automatically opened in your browser to create the new access policy.
    8. Return to
      Strata Cloud Manager
      and copy the access policy JSON.
    9. In the Amazon AWS console, paste the access policy JSON into the
      Policy editor
      .
    10. Add the bucket ARN for the S3 storage bucket you created.
      Throughout the JSON, you must replace all instances of
      bucket_name_to_be_replaced
      with the S3 storage bucket ARN you created.
    11. Click
      Next
      .
    12. Enter a
      Policy name
      and
      Create policy
      .
    13. Return to the browser window where you're creating the IAM role,
    14. Search for and select the access policy you created.
    15. Click
      Next
      .
    16. Enter a descriptive
      Role name
      for the IAM role.
    17. Review the IAM role trust relationship and access policy.
    18. Create role
      .
  5. Configure the S3 storage bucket for evidence file storage.
    1. Log in to
      Strata Cloud Manager
      .
      Access to evidence storage settings and files on
      Strata Cloud Manager
      is allowed only for an account administrator or app administrator role with
      Enterprise DLP
      read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      and select
      AWS
      as the Public Cloud Storage Bucket.
    3. Select
      Input Bucket Details
      .
    4. Enter the
      S3 Bucket Name
      of the bucket you created.
      The name you enter in the
      Strata Cloud Manager
      must match the name of the S3 storage bucket on AWS.
    5. Enter the
      Role ARN
      for the IAM role you created.
      The IAM Role ARN can be found in the IAM role
      Permissions
      . The role ARN is displayed in the
      Summary
      .
    6. Select the AWS
      Region
      where the bucket is located.
    7. Select
      Connect
      to verify the connections status your S3 storage bucket.
      Select
      Save
      if
      Enterprise DLP
      can successfully connect your bucket. A
      Palo_Alto_Networks_DLP_Connection_Test.txt
      file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
      If
      Enterprise DLP
      can't successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    8. In the
      Evidence Storage
      settings, enable
      Sensitive Files
      to enable storage of sensitive files in the S3 storage bucket.

Strata Cloud Manager
Using AWS KMS

Create an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles on
Strata Cloud Manager
.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Create a public S3 storage bucket to store files scanned by the
    Enterprise DLP
    cloud service.
    1. Select
      Services
      Storage
      S3
      Buckets
      and
      Create bucket
      .
    2. Enter a descriptive
      Bucket name
      .
    3. Select the
      AWS Region
      for the S3 storage bucket.
    4. In the
      Default encryption
      section, select
      AWS Key Management Service (SSE-KMS)
      as the
      Encryption key type
      .
    5. To specify the
      AWS KMS key
      , you can
      Choose from your AWS KMS keys
      or you can
      Enter AWS key ARN
      .
      You can
      Create a KMS Key
      if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
    6. Create bucket
      .
    7. Obtain the ARN for the S3 storage bucket.
      After creating the S3 storage bucket, you're redirected back to the
      Buckets
      page. Search for and click the storage bucket you created.
      Click
      Properties
      . The storage bucket ARN is displayed in the
      Bucket overview
      .
  3. Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      .
    3. In
      Evidence Storage
      , select
      Configure Bucket
      AWS
      as the Public Storage Bucket.
    4. Toggle
      KMS Enabled
      enable an S3 storage bucket using AWS KMS.
    5. In
      Instructions - AWS
      , locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.
      The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.
      Leave the
      Configure Bucket for Evidence Storage
      display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
  4. Create the IAM role for the S3 storage bucket.
    This role is required to allow the DLP cloud service to write to the S3 storage bucket.
    1. Select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and
      Create role
      .
    2. Select
      Custom trust policy
      .
    3. For the
      Trusted entity type
      , select
      Custom trust policy
      .
    4. Return to
      Strata Cloud Manager
      and copy the trust relationship JSON.
    5. In the Amazon AWS console, paste the trust relationship JSON into the
      Custom trust policy
      to configure the trust policy.
    6. Click
      Next
      .
    7. In
      Add permissions
      , select
      Create policy
      JSON
      .
      A new window is automatically opened in your browser to create the new access policy.
    8. Return to
      Strata Cloud Manager
      and copy the access policy JSON.
    9. In the Amazon AWS console, paste the access policy JSON into the
      Policy editor
      .
    10. Add the bucket ARN for the S3 storage bucket you created.
      Throughout the JSON, you must replace all instances of
      bucket_name_to_be_replaced
      with the S3 storage bucket ARN you created.
    11. Add the AWS KMS key ARN.
      The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
    12. Click
      Next
      .
    13. Enter a
      Policy name
      and
      Create policy
      .
    14. Return to the browser window where you're creating the IAM role,
    15. Search for and select the access policy you created.
    16. Click
      Next
      .
    17. Enter a descriptive
      Role name
      for the IAM role.
    18. Review the IAM role trust relationship and access policy.
    19. Create role
      .
  5. Configure the S3 storage bucket for evidence file storage.
    1. Log in to
      Strata Cloud Manager
      .
      Access to evidence storage settings and files on
      Strata Cloud Manager
      is allowed only for an account administrator or app administrator role with
      Enterprise DLP
      read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      and select
      AWS
      as the Public Cloud Storage Bucket.
    3. Select
      Input Bucket Details
      .
    4. Enter the
      S3 Bucket Name
      of the bucket you created.
      The name you enter in
      Strata Cloud Manager
      must match the name of the S3 storage bucket on AWS.
    5. Enter the
      Role ARN
      for the IAM role you created.
      The IAM Role ARN can be found in the IAM role
      Permissions
      . The role ARN is displayed in the
      Summary
      .
    6. Select the AWS
      Region
      where the bucket is located.
    7. Select
      Connect
      to verify the connections status your S3 storage bucket.
      Select
      Save
      if
      Enterprise DLP
      can successfully connect your bucket. A
      Palo_Alto_Networks_DLP_Connection_Test.txt
      file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
      If
      Enterprise DLP
      can't successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    8. In the
      Evidence Storage
      settings, enable
      Sensitive Files
      to enable storage of sensitive files in the S3 storage bucket.

Panorama

Create an S3 storage bucket on AWS to store files that match
Enterprise Data Loss Prevention (E-DLP)
data profiles.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Create a public S3 storage bucket to store files scanned by the
    Enterprise DLP
    cloud service.
    1. Select
      Services
      Storage
      S3
      Buckets
      and
      Create bucket
      .
    2. Enter a descriptive
      Bucket name
      .
    3. Select the
      AWS Region
      for the S3 storage bucket.
    4. In the
      Default encryption
      section, select
      Amazon S3 managed keys (SSE-S3)
      as the
      Encryption key type
      .
      You can
      Create a KMS Key
      if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
    5. Create bucket
      .
    6. Obtain the ARN for the S3 storage bucket.
      After creating the S3 storage bucket, you're redirected back to the
      Buckets
      page. Search for and click the storage bucket you created.
      Click
      Properties
      . The storage bucket ARN is displayed in the
      Bucket overview
      .
  3. Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
    1. Log in to the DLP app on the hub.
    2. Select
      Settings
      Sensitive Data
      .
    3. In
      Evidence Storage
      , select
      Configure Bucket
      AWS
      as the Public Cloud Storage Bucket.
    4. In
      Instructions - AWS
      , locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.
      The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.
      Leave the
      Configure Bucket for Evidence Storage
      display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
  4. Create the IAM role for the S3 storage bucket.
    This role is required to allow the DLP cloud service to write to the S3 storage bucket.
    1. Select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and
      Create role
      .
    2. Select
      Custom trust policy
      .
    3. For the
      Trusted entity type
      , select
      Custom trust policy
      .
    4. Return to the Cloud Management Console and copy the trust relationship JSON.
    5. In the Amazon AWS console, paste the trust relationship JSON into the
      Custom trust policy
      to configure the trust policy.
    6. Click
      Next
      .
    7. In
      Add permissions
      , select
      Create policy
      JSON
      .
      A new window is automatically opened in your browser to create the new access policy.
    8. Return to the Cloud Management Console and copy the access policy JSON.
    9. In the Amazon AWS console, paste the access policy JSON into the
      Policy editor
      .
    10. Add the bucket ARN for the S3 storage bucket you created.
      Throughout the JSON, you must replace all instances of
      bucket_name_to_be_replaced
      with the S3 storage bucket ARN you created.
    11. Click
      Next
      .
    12. Enter a
      Policy name
      and
      Create policy
      .
    13. Return to the browser window where you're creating the IAM role,
    14. Search for and select the access policy you created.
    15. Click
      Next
      .
    16. Enter a descriptive
      Role name
      for the IAM role.
    17. Review the IAM role trust relationship and access policy.
    18. Create role
      .
  5. Configure the S3 storage bucket for evidence file storage.
    1. Log in to the DLP app on the hub.
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      and select
      AWS
      as the Public Cloud Storage Bucket.
    3. Select
      Input Bucket Details
      .
    4. Enter the
      S3 Bucket Name
      of the bucket you created.
      The name you enter in the Cloud Management Console must match the name of the S3 storage bucket on AWS.
    5. Enter the
      Role ARN
      for the IAM role you created.
      The IAM Role ARN can be found in the IAM role
      Permissions
      . The role ARN is displayed in the
      Summary
      .
    6. Select the AWS
      Region
      where the bucket is located.
    7. Select
      Connect
      to verify the connections status your S3 storage bucket.
      Select
      Save
      if
      Enterprise DLP
      can successfully connect your bucket. A
      Palo_Alto_Networks_DLP_Connection_Test.txt
      file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
      If
      Enterprise DLP
      can't successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    8. In the
      Evidence Storage
      settings, enable
      Sensitive Files
      to enable storage of sensitive files in the S3 storage bucket.

Panorama
Using AWS KMS

Create an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to store files that match your
Enterprise Data Loss Prevention (E-DLP)
data profiles on the DLP app on the hub.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Create a public S3 storage bucket to store files scanned by the
    Enterprise DLP
    cloud service.
    1. Select
      Services
      Storage
      S3
      Buckets
      and
      Create bucket
      .
    2. Enter a descriptive
      Bucket name
      .
    3. Select the
      AWS Region
      for the S3 storage bucket.
    4. In the
      Default encryption
      section, select
      AWS Key Management Service (SSE-KMS)
      as the
      Encryption key type
      .
    5. To specify the
      AWS KMS key
      , you can
      Choose from your AWS KMS keys
      or you can
      Enter AWS key ARN
      .
      You can
      Create a KMS Key
      if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
    6. Create bucket
      .
    7. Obtain the ARN for the S3 storage bucket.
      After creating the S3 storage bucket, you're redirected back to the
      Buckets
      page. Search for and click the storage bucket you created.
      Click
      Properties
      . The storage bucket ARN is displayed in the
      Bucket overview
      .
  3. Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
    1. Log in to the DLP app on the hub.
    2. Select
      Settings
      Sensitive Data
      .
    3. In
      Evidence Storage
      , select
      Configure Bucket
      AWS
      as the Public Cloud Storage Bucket.
    4. Toggle
      KMS Enabled
      enable an S3 storage bucket using AWS KMS.
    5. In
      Instructions - AWS
      , locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.
      The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.
      Leave the
      Configure Bucket for Evidence Storage
      display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
  4. Create the IAM role for the S3 storage bucket.
    This role is required to allow the DLP cloud service to write to the S3 storage bucket.
    1. Select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and
      Create role
      .
    2. Select
      Custom trust policy
      .
    3. For the
      Trusted entity type
      , select
      Custom trust policy
      .
    4. Return to the Cloud Management Console and copy the trust relationship JSON.
    5. In the Amazon AWS console, paste the trust relationship JSON into the
      Custom trust policy
      to configure the trust policy.
    6. Click
      Next
      .
    7. In
      Add permissions
      , select
      Create policy
      JSON
      .
      A new window is automatically opened in your browser to create the new access policy.
    8. Return to the Cloud Management Console and copy the access policy JSON.
    9. In the Amazon AWS console, paste the access policy JSON into the
      Policy editor
      .
    10. Add the bucket ARN for the S3 storage bucket you created.
      Throughout the JSON, you must replace all instances of
      bucket_name_to_be_replaced
      with the S3 storage bucket ARN you created.
    11. Add the AWS KMS key ARN.
      The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
    12. Click
      Next
      .
    13. Enter a
      Policy name
      and
      Create policy
      .
    14. Return to the browser window where you're creating the IAM role,
    15. Search for and select the access policy you created.
    16. Click
      Next
      .
    17. Enter a descriptive
      Role name
      for the IAM role.
    18. Review the IAM role trust relationship and access policy.
    19. Create role
      .
  5. Configure the S3 storage bucket for evidence file storage.
    1. Log in to the DLP app on the hub.
    2. Select
      Manage
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      Sensitive Data
      and select
      AWS
      as the Public Cloud Storage Bucket.
    3. Select
      Input Bucket Details
      .
    4. Enter the
      S3 Bucket Name
      of the bucket you created.
      The name you enter in the Cloud Management Console must match the name of the S3 storage bucket on AWS.
    5. Enter the
      Role ARN
      for the IAM role you created.
      The IAM Role ARN can be found in the IAM role
      Permissions
      . The role ARN is displayed in the
      Summary
      .
    6. Select the AWS
      Region
      where the bucket is located.
    7. Select
      Connect
      to verify the connections status your S3 storage bucket.
      Select
      Save
      if
      Enterprise DLP
      can successfully connect your bucket. A
      Palo_Alto_Networks_DLP_Connection_Test.txt
      file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
      If
      Enterprise DLP
      can't successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    8. In the
      Evidence Storage
      settings, enable
      Sensitive Files
      to enable storage of sensitive files in the S3 storage bucket.

Recommended For You