Enterprise DLP Administrator’s Guide
    : Configure Cloud Storage on AWS Using AWS KMS for Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Monitor Enterprise DLP
    5. Save Evidence for Investigative Analysis with Enterprise DLP
    6. Set Up Cloud Storage to Save Evidence for Panorama
    7. Configure Cloud Storage on AWS Using AWS KMS for Panorama
    Download PDF

    Enterprise DLP Administrator’s Guide

    Configure Cloud Storage on AWS Using AWS KMS for Panorama

    Table of Contents

    Configure Cloud Storage on AWS Using AWS KMS for
    Panorama

    Create an S3 storage bucket on AWS using the AWS Key Management Service (KMS) to store files that match your
    Enterprise Data Loss Prevention (E-DLP)
     data profiles on the DLP app on the hub.
    Where Can I Use This?
    What Do I Need?
    • Panorama
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • Device management license
    • Support license
    Amazon Web Services (AWS) users can configure an S3 storage bucket using the AWS Key Management Service (KMS) to automatically upload all files that match an Enterprise Data Loss Prevention (DLP) data filtering profile for
    Enterprise DLP
     deployed on
    Panorama
     or
    Prisma Access (Panorama Managed)
    .
    To store your files scanned by the DLP cloud service, you must create an S3 storage bucket and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Palo Alto Networks provides you with a JSON data containing the required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in-depth investigation.
    In case of connection issues to your S3 storage bucket due to configuration error or change in settings on the bucket, an email is automatically generated and sent to the admin that originally connected the DLP app to the storage bucket and to the user who last modified the storage bucket connection settings on the DLP app. This email is sent out every 48 hours until the connection is restored.
    Files that are scanned by the DLP cloud service while the DLP app is disconnected from your storage bucket can't be stored and are lost. This means that all impacted files are not available for download. However, all snippet data is preserved and can still be viewed on the DLP app on the hub.
    File storage automatically resumes after the connection status is restored.
    1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
    2. Create a public S3 storage bucket to store files scanned by the
      Enterprise DLP
       cloud service.
      2. Select
        Services
        Storage
        S3
        Buckets
         and
        Create bucket
        .
      3. Enter a descriptive
        Bucket name
        .
      4. Select the
        AWS Region
         for the S3 storage bucket.
      5. In the
        Default encryption
         section, select
        AWS Key Management Service (SSE-KMS)
         as the
        Encryption key type
        .
      6. To specify the
        AWS KMS key
        , you can
        Choose from your AWS KMS keys
         or you can
        Enter AWS key ARN
        .
        You can
        Create a KMS Key
         if one does not already exist. Refer to AWS Documentation for more information on creating a new KMS key.
      7. Create bucket
        .
      8. Obtain the ARN for the S3 storage bucket.
        After creating the S3 storage bucket, you're redirected back to the
        Buckets
         page. Search for and click the storage bucket you created.
        Click
        Properties
        . The storage bucket ARN is displayed in the
        Bucket overview
        .
    3. Enable the AWS KMS setting for the storage bucket and locate the trust relationship and access policy JSONs provided by Palo Alto Networks.
      1. Log in to the DLP app on the hub.
      2. Select
        Settings
        Sensitive Data
        .
      3. In
        Evidence Storage
        , select
        Configure Bucket
        AWS
         as the Public Cloud Storage Bucket.
      4. Toggle
        KMS Enabled
         enable an S3 storage bucket using AWS KMS.
      5. In
        Instructions - AWS
        , locate the trust relationship and access policy JSON provided to define the trust relationship and access policy between the IAM role and Palo Alto Networks.
        The first JSON provided is the trust relationship and the second is the access policy. Highlighted are the copy buttons that you will use later on to create the IAM role for the S3 storage bucket.
        Leave the
        Configure Bucket for Evidence Storage
         display open and continue to create the IAM role for the S3 storage bucket in a separate browser window.
    4. Create the IAM role for the S3 storage bucket.
      This role is required to allow the DLP cloud service to write to the S3 storage bucket.
      2. Select
        Services
        Security, Identity, and Compliance
        IAM
        Access management
        Roles
         and
        Create role
        .
      3. Select
        Custom trust policy
        .
      4. For the
        Trusted entity type
        , select
        Custom trust policy
        .
      5. Return to the Cloud Management Console and copy the trust relationship JSON.
      6. In the Amazon AWS console, paste the trust relationship JSON into the
        Custom trust policy
         to configure the trust policy.
      7. Click
        Next
        .
      8. In
        Add permissions
        , select
        Create policy
        JSON
        .
        A new window is automatically opened in your browser to create the new access policy.
      9. Return to the Cloud Management Console and copy the access policy JSON.
      10. In the Amazon AWS console, paste the access policy JSON into the
        Policy editor
        .
      11. Add the bucket ARN for the S3 storage bucket you created.
        Throughout the JSON, you must replace all instances of
        bucket_name_to_be_replaced
         with the S3 storage bucket ARN you created.
      12. Add the AWS KMS key ARN.
        The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided when you created the S3 storage bucket.
      13. Click
        Next
        .
      14. Enter a
        Policy name
         and
        Create policy
        .
      15. Return to the browser window where you're creating the IAM role,
      16. Search for and select the access policy you created.
      17. Click
        Next
        .
      18. Enter a descriptive
        Role name
         for the IAM role.
      19. Review the IAM role trust relationship and access policy.
      20. Create role
        .
    5. Configure the S3 storage bucket for evidence file storage.
      1. Log in to the DLP app on the hub.
      2. Select
        Manage
        Configuration
        Security Services
        Data Loss Prevention
        Settings
        Sensitive Data
         and select
        AWS
         as the Public Cloud Storage Bucket.
      3. Select
        Input Bucket Details
        .
      4. Enter the
        S3 Bucket Name
         of the bucket you created.
        The name you enter in the Cloud Management Console must match the name of the S3 storage bucket on AWS.
      5. Enter the
        Role ARN
         for the IAM role you created.
        The IAM Role ARN can be found in the IAM role
        Permissions
        . The role ARN is displayed in the
        Summary
        .
      6. Select the AWS
        Region
         where the bucket is located.
      7. Select
        Connect
         to verify the connections status your S3 storage bucket.
        Select
        Save
         if
        Enterprise DLP
         can successfully connect your bucket. A
        Palo_Alto_Networks_DLP_Connection_Test.txt
         file is uploaded to your storage bucket by the DLP cloud service to verify connectivity.
        If
        Enterprise DLP
         can't successfully connect your bucket, select
        Previous
         and edit the bucket connection settings.
      8. In the
        Evidence Storage
         settings, enable
        Sensitive Files
         to enable storage of sensitive files in the S3 storage bucket.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.