Focus

SaaS Security Administrator's Guide

Add the Amazon S3 App

Table of Contents

Add the Amazon S3 App

Add the Amazon S3 app to begin scanning your assets in S3 buckets with Data Security.

After you set up your scan configuration for a single AWS account or for multiple AWS accounts, add the Amazon S3 app to Data Security to begin scanning your new Amazon S3 app for policy violations.

Add the Amazon S3 App
Customize Amazon S3 App
Identify Risks

Add Amazon S3 App

There are two methods to set up the Amazon S3 app on Data Security based on whether you are configuring a single account or multiple accounts.

To add the Amazon S3 app to Data Security, go to Data SecurityApplicationsAdd ApplicationAmazon S3.
Connect a single AWS account, if applicable.
1. Connect a single AWS account by clicking Connect to Account.
2. Enter the Access Key ID and Secret Access Key that you noted earlier when you completed the worksheet for your app scan.
3. Enter the CloudTrail Bucket Name (S3 bucket name) to the default exclusion list.
  
  Because S3 allows your bucket to be used as a URL that can be accessed publicly, the bucket name that you choose must be globally unique. If some other account has already created a bucket with the name that you chose, you must use another name.
4. Enter the AWS Account ID.
  
  To find your AWS account ID number on the AWS Management Console, select Support on the navigation bar on the upper-right, and then select Support Center. Your signed-in account ID displays in the upper-right corner below the Support menu.
5. Select the Region.
6. Click OK. Data Security adds the Amazon S3 app to the list of Cloud Apps.
Connect multiple AWS accounts, if applicable.
AWS enables you to combine CloudTrail log files from multiple AWS regions and separate accounts into a single S3 bucket. Aggregating your log files in a single bucket simplifies storage and management of your Trails.
1. Enter the Primary Account Access Key ID and Primary Account Secret Access Key that you noted earlier when you completed the worksheet for your app scan.
2. Enter the Primary AWS Account ID.
  
  To find your AWS account ID number on the AWS Management Console, select Support on the navigation bar on the upper-right, and then select Support Center. Your signed-in account ID displays in the upper-right corner below the Support menu.
3. Enter the Shared IAM Role.
  
  The shared IAM role delegates access to resources in different AWS accounts that you own (Production and Development). By configuring cross-account access with a role, you don't need to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.
4. Enter the Primary CloudTrail Bucket Name (S3 bucket name).
  
  Because S3 allows your bucket to be used as a URL that can be accessed publicly, the bucket name that you choose must be globally unique. If some other account has already created a bucket with the name that you chose, you must use another name.
5. Select the Primary CloudTrail Bucket Region.
6. In Secondary Account Configuration select a CloudTrail configuration:
  Centralized CloudTrail— logging for all AWS accounts goes to a single CloudTrail bucket in the primary account. Enter one Amazon account per line with no delimiters.
  Distributed CloudTrail— logging for each AWS account goes to a separate CloudTrail bucket in the account’s location. Enter one Amazon Account: Bucket Name: Region per line with a colon ( : ) as a delimiter.
  If you are configuring both centralized and distributed CloudTrails, use Distributed CloudTrail.
7. Click OK to add the Amazon S3 app to the list of Cloud Apps on Data Security.
Next Step: Proceed to Customize Amazon S3 App.

Customize Amazon S3 App

Customizations include modifying Amazon S3 app name.

Select the Amazon S3 link on the Cloud Apps list.
Enter a descriptive Name to differentiate this instance of Amazon S3 from other instances you are managing.
Click Done to save your changes.
Next Step: Proceed to Identify Risks.

Identify Risks

When you add a new cloud app, then enable scanning, Data Security automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.

Start scanning the new Amazon S3 app for risks.
Monitor the scan results.
During the discovery phase, as Data Security scans files and matches them against enabled policy rules, verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to next step to improve your results.
Add policy rules.
When you add a new cloud app, Data Security automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Data Asset Policy to look for incidents unique to the assets in the new app.
(Optional) Configure or edit a data pattern.
You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
If you selected All buckets for inclusion, but do not intend to specify specific buckets for exclusion, start scanning the new Amazon S3 app for risks.
Review exposure details.
1. To get more details on the exposure, select a Bucket to view the S3 Share Settings. This view displays the bucket policy and access control lists (ACL) with a link to the asset in the associated bucket so that you can get more context into the exposure.

Cross Account Scan Multiple Amazon S3 Accounts

Exclude Amazon S3 Buckets from Scans