Cross Account Scan Multiple Amazon S3 Accounts

To enable scanning of S3 buckets across multiple AWS accounts, you must Begin Scanning an Amazon S3 App AWS IAM policy, user, and role on the primary account, and then configure users, roles, policies and CloudTrail trails for both the primary and secondary accounts. The account in which all CloudTrail is stored is referenced as the primary account. All other accounts are referenced as secondary accounts.
To configure AWS S3 scanning across multiple accounts:
  1. Configure CloudTrail on the primary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select
      Services
      CloudTrail
      Trails
      Create Trail
      .
    3. Enter the Trail name
      prisma-saas-s3-primary-trail
      .
    4. Set
      Apply trail to all Regions
      to
      Yes
      .
    5. In the
      Data Events
      area, enter the name of each S3 bucket that want to enable scanning on your primary account. You can also choose
      Select all S3 buckets in your account
      to enable Prisma SaaS to scan all of your S3 buckets in your primary account.
    6. In the
      Storage location
      area, create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      prisma-saas-s3-
      <AWS account ID>
      .
      You can also use an existing bucket for the log storage location, if one exists.
      amazon-aws-trail-summary.png
  2. Configure a role and an associated policy on each secondary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Configure an IAM role by selecting
      IAM
      Roles
      Create Role
      .
    3. Select
      Another AWS Account Type
      as type of trusted entity.
    4. Enter the AWS account number of your primary account in
      Specify accounts that can use this role
      . Leave the other
      Options
      unchecked and select
      Next: Permissions
      .
    5. Click
      Create Policy
      and a new window will open.
    6. Click the
      JSON
      tab and copy and paste the following configuration into the
      Policy Document
      section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ] }
    7. Click
      Review Policy
      and enter the
      Policy Name
      as
      prisma-saas-s3-secondary-policy
      and provide an optional description of the policy.
    8. Click
      Create Policy
      .
    9. Refresh
      the policy window and select
      prisma-saas-S3-secondary-policy
      .
    10. Select
      Next: Review
      and enter the role name
      prisma-saas-s3-secondary-role
      .
    11. Create the role by entering in
      Role name
      . Before creating the role, verify the following:
      1. Trusted entities
        contain the primary account number.
      2. prisma-saas-s3-secondary policy
        displays in
        Policies
        .
      3. When verification is complete, click
        Create Role
        .
    12. Select the role just created and copy the role ARN into memory (for example
      arn:aws:iam::222222222:role/prisma-saas-s3-secondary-role
      ). You will need the role ARN later in this procedure.
  3. Configure the CloudTrail bucket in the primary account to give CloudTrail service access to each secondary account prefix.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select
      Services
      S3
      .
    3. Select the CloudTrail S3 bucket you just created, for example
      prisma-saas-s3-[aws account id].
    4. Select
      Permissions
      Bucket Policy
      .
    5. Verify that the bucket policy has a
      Statement to Allow Action S3:PutObject
      for the primary account prefix, for example,
      “Resource”: “arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*”,
    6. Modify this resource entry to add the account prefix for each secondary account, similar to the following:
      "Resource": [ "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/111111111/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/222222222/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/333333333/*" ],
    7. Save
      the resource modification.
  4. Configure CloudTrail on each secondary account to associate with the primary account.
    1. Select
      Services
      CloudTrail
      Trails
      Create trail
      .
    2. Enter the Trail name
      prisma-saas-s3-secondary-trail
      .
    3. Set
      Apply trail to all Regions
      to
      Yes
      .
    4. In the
      Data events
      area, enter the name of each bucket in your secondary account for which you want to enable scanning. You can also choose
      Select all S3 buckets in your account
      to enable Prisma SaaS to scan all of your secondary S3 buckets. The interface offers auto-completion as you type. Repeat the process to select additional buckets.
    5. To configure a bucket in which CloudTrail will store management and data event logs for this account, enter the bucket name of the CloudTrail bucket in the primary account, for example
      prisma-saas-s3-
      <AWS account ID>
      in the
      Storage location
      area and click
      Create
      .
      amazon-aws-trail-summary.png
  5. Configure a user in the primary account that will access each of the secondary accounts.
    1. Select
      Services
      IAM
      .
    2. Select
      Users
      Add user
      .
    3. Enter the user name as
      prisma-saas-s3-user
      .
    4. Select
      Programmatic access
      to generate an access key ID and secret access key for Prisma SaaS to use to access the Amazon S3 service.
    5. Select
      Next: Permissions
      .
    6. Create a user policy.
      1. Select
        Attach existing policies directly
        Create Policy
        . A new window will open. You will attach this policy to the user account that authorizes Prisma SaaS to scan the Amazon S3 accounts.
      2. Click the
        JSON
        tab and copy and paste the following configuration into the
        Policy Document
        section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::333333333:role/prisma-saas-s3-cross-account-access-role" } ] }
      This policy document has three pseudo secondary accounts 222222222,111111111,333333333 referenced in it. You will need to edit the policy to reflect the account numbers of each of your secondary accounts.
    7. Click
      Review Policy
      and enter the
      Policy Name
      as
      prisma-saas-s3-primary-policy
      and provide an optional description of the policy.
    8. Click
      Create Policy
      .
    9. Refresh
      the first window and select
      prisma-saas-s3-primary policy
      , and click
      Next
      Review
      and then
      Create User
      .
      Note the
      Access key ID
      and
      Secret access key
      for the user. You will need these numbers later in this setup.
    10. Click
      Close
      .

Recommended For You