Set Up Cloud Storage to Save Evidence

Create an S3 bucket on Amazon Web Services (AWS) to store files that match your Enterprise Data Loss Prevention (DLP) data filtering profiles.
Amazon Web Services (AWS) users can configure an S3 bucket to automatically upload all files that match an Enterprise Data Loss Prevention (DLP) data filtering profile for Enterprise DLP leveraged on Prisma Access and Next-Generation Firewalls.
To store your files scanned by the DLP cloud service, you must create an S3 bucket and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Palo Alto Networks provides you a JSON data containing the required policy permissions to create the IAM role. Files uploaded to your S3 bucket are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in depth investigation.
In case of connection issues to your S3 bucket due to configuration error or change in settings on the bucket, an email is automatically generated and sent to the admin that originally connected the DLP app to the storage bucket and to the user who last modified the storage bucket connection settings on the DLP app. This email is sent out every 48 hours until the connection is restored.
Files that are scanned by the DLP cloud service while the DLP app is disconnected from your storage bucket cannot be stored and are lost. This means that all impacted files are not available for download. However, all snippet data is preserved and can still be viewed on the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
  1. Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
    1. Select
      Services
      Storage
      S3
      Buckets
      and
      Create bucket
      .
    2. Enter a descriptive
      Bucket name
      .
    3. Select the
      AWS Region
      for the S3 bucket.
    4. In the Default encryption section,
      Enable
      server-side encryption and select your preferred encryption key type.
      This is required to successfully associate the S3 bucket with the hub.
    5. Create bucket
      .
  2. Create the IAM role for the S3 bucket.
    This role is required to allow the DLP cloud service to write to the S3 bucket.
    1. Select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and
      Create role
      .
    2. For the type of trusted entity, select
      S3
      from the list displayed in the Choose a use case section.
    3. In the Select your use case section, select
      S3
      .
    4. Select
      Next: Permissions
      ,
      Next: Tags
      and
      Next: Review
      .
      The permissions policy to create the trust relationship is configured the following step.
    5. Enter a descriptive
      Role name
      for the IAM role.
    6. Create role
      .
  3. Configure the trust relationship for the IAM role.
    1. Obtain the trust relationship using JSON provided by Palo Alto Networks.
      1. Log in to the DLP app on the hub
      2. Select
        Settings
        and
        Edit
        the Cloud Storage Bucket.
      3. In the
        Instructions
        , copy the JSON provided to define the trust relationship between the IAM role and Palo Alto Networks.
    2. In AWS, select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Roles
      and select the IAM role you created.
    3. Select
      Trust relationships
      and
      Edit trust relationship
      .
    4. Paste the trust relationship JSON you copied from the DLP app in the hub to define the trust relationship between the IAM role and Palo Alto Networks.
    5. Update Trust Relationship
      .
  4. Create a policy to define the access policy and assign the policy to the IAM role you created.
    Palo Alto Networks provides you with a JSON containing the required access policy configuration that you can copy and paste.
    1. Obtain the trust relationship using JSON provided by Palo Alto Networks.
      1. Log in to the DLP app on the hub
      2. Select
        Settings
        and
        Edit
        the Cloud Storage Bucket.
      3. In the
        Instructions
        , copy the JSON provided to define the trust relationship between the IAM role and Palo Alto Networks.
    2. In AWS, select
      Services
      Security, Identity, and Compliance
      IAM
      Access management
      Policies
      and
      Create policy
      .
    3. Select
      JSON
      and pasted the JSON provided by Palo Alto Networks.
      Throughout the JSON, you must delete all instances of
      bucket_name_to_be_replaced
      with the S3 bucket ARN you created.
      You can find the ARN of your S3 bucket by selecting
      Services
      Storage
      S3
      . Then select the S3 bucket and view the
      Properties
      .
    4. Select
      Next: Tags
      and
      Next: Review
    5. Enter a descriptive
      Name
      for the access policy and
      Create policy
      .
    6. Select
      Roles
      and select the IAM role you created.
    7. Select
      Permissions
      Attach policies
      to select the access policy you created and
      Attach policies
      .
  5. Configure the S3 bucket for evidence file storage.
    1. Log in to the DLP app on the hub.
      If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      Access to evidence storage settings and files on the hub is allowed only for an account administrator or app administrator roles with a valid Enterprise DLP license associated with that support account. This is to ensure that only the appropriate users have access to report data and evidence.
    2. Select
      Settings
      and
      Edit
      the Public Cloud Storage Bucket.
    3. Enter the
      S3 Bucket Name
      of the bucket you created.
    4. Enter the
      Role ARN
      for the IAM role you created.
    5. Select the AWS
      Region
      where the bucket is located.
    6. Select
      Next
      to verify the connections status your S3 bucket.
      Select
      Save
      if the hub can successfully connect your bucket.
      If the hub cannot successfully connect your bucket, select
      Previous
      and edit the bucket connection settings.
    7. In the DLP
      Settings
      ,
      Enable
      storage of sensitive files for the platform in which you are leveraging Enterprise DLP.
      You can only enable storage of sensitive files for platform for which you have activated the Enterprise DLP license. For example, you only have the option to enable evidence storage for Next-Generation Firewalls if you activated the Enterprise DLP license on Panorama.

Recommended For You