Scan a Single Amazon S3 Account

Before you can scan an Amazon S3 app, you must configure AWS IAM policy, user, role, and (optional) an S3 bucket in which CloudTrail will log events that occur in your Amazon S3 buckets.
To configure the Amazon S3 app to scan a single AWS account:
  1. Log in to your AWS Console
  2. Select
    Security, Identity & Compliance
  3. Configure the Prisma SaaS policy used to connect to the Amazon S3 app.
    1. Select
      Create policy
      and then select
      Create Your Own Policy
    2. Enter the
      Policy Name
      and provide an optional description of the policy.
    3. Copy and paste the following configuration into the
      Policy Document
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ] }
    4. Click
      Create Policy
  4. Configure the account Prisma SaaS will use to access the Amazon S3 logs:
    1. Select
      Add user
    2. Enter the user name as
    3. To generate an access key ID and secret access key for Prisma SaaS to use to access the Amazon S3 service, enable Programmatic access.
    4. Select
      Next: Permissions
    5. Select Attach existing policies directly.
    6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
    7. Click
      Next: Review
      Create User
      Note your
      Access key ID
      Secret access key
    8. Click
  5. If you have not already done so, configure CloudTrail logging. This enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
    1. To copy your AWS account ID into memory, click your username at the top right and copy the Account number. You will need your account number later in this procedure.
    2. Select
      Management Tools
      Add new trail
    3. Enter the Trail name
    4. Set
      Apply trail to all Regions
    5. In the
      Data events
      area, enter the name of each bucket that you want Prisma SaaS to scan. You can also choose
      Select all S3 buckets in your account
      to enable Prisma SaaS to scan all of your S3 buckets. The interface offers auto-completion as you type. Repeat the process to select additional buckets.
    6. To create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      <AWS account ID>
      in the
      Storage location
      Take note of the S3 bucket (CloudTrail bucket name) and region.
    7. Click

Recommended For You