>
    Begin Scanning an Amazon S3 App
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard Sanctioned SaaS Apps to Data Security
    4. Begin Scanning an Amazon S3 App
    Download PDF
    SaaS Security

    Begin Scanning an Amazon S3 App

    Table of Contents

    Begin Scanning an Amazon S3 App

    Secure your AWS S3 accounts and protect them from data exfiltration and malware propagation while adhering to AWS best practices for your security monitoring.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Data Security license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    To connect an Amazon S3 app and begin scanning assets, you need to:
    You must have a Public Storage License for Data Security to scan for AWS S3 assets.
    As you prepare to scan your Amazon S3 account, take note of the following values in the worksheet provided, as they are required to complete the setup of the Amazon S3 app on Data Security:
    ItemDescription
    AWS account ID
    Required to enable the Amazon S3 Bucket created in CloudTrail.
    Access key ID
    Grants Data Security permission to access Amazon S3.
    Secret access key
    The administrator root access key used to configure the IAM services.
    CloudTrail bucket name (or full path if the CloudTrail feature is already enabled)
    Enables the Amazon S3 app to log management and data events to a CloudTrail bucket of your choice.
    Region
    A configured area in CloudTrail that is scanned.
    Role
    When scanning multiple AWS S3 accounts, each IAM role defines a set of permissions that grant access to actions and resources in AWS.

    Scan a Single Amazon S3 Account

    Learn how Data Security scans S3 buckets for a single AWS account.
    To enable scanning of S3 buckets for a single AWS account, you must configure AWS IAM policy, user, role, and CloudTrail logging before you can add the Amazon S3 app to Data Security. Alternatively, you can Cross Account Scan Multiple Amazon S3 Accounts.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select ServicesSecurity, Identity & ComplianceIAM.
    3. Configure the Data Security policy used to connect to the Amazon S3 app.
      1. Select PoliciesCreate policy and then select Create Your Own Policy.
      2. Enter the Policy Name as prisma-saas-s3-policy and provide an optional description of the policy.
      3. Copy and paste the following configuration into the Policy Document section:
        {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "s3:Get*",        "s3:List*",        "s3:Put*",        "s3:Delete*",        "s3:CreateBucket",        "iam:GetUser",        "iam:GetRole",        "iam:GetUserPolicy",        "iam:ListUsers",        "cloudtrail:GetTrailStatus",        "cloudtrail:DescribeTrails",        "cloudtrail:LookupEvents",        "cloudtrail:ListTags",        "cloudtrail:ListPublicKeys",        "cloudtrail:GetEventSelectors",        "ec2:DescribeVpcEndpoints",        "ec2:DescribeVpcs",        "config:Get*",        "config:Describe*",        "config:Deliver*",        "config:List*"      ],      "Resource": "*"    }  ]}
      4. Click Create Policy.
    4. Configure the account that Data Security will use to access the Amazon S3 logs:
      1. Select UsersAdd user.
      2. Enter the user name as prisma-saas-s3-user.
      3. To generate an access key ID and secret access key for Data Security to use to access the Amazon S3 service, enable Programmatic access.
      4. Select Next: Permissions.
      5. Select Attach existing policies directly.
      6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
      7. Click Next: ReviewCreate User.
        Note your Access key ID and Secret access key.
      8. Click Close.
    5. Configure CloudTrail logging, if you have not already done so.
      CloudTrail logging enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
      1. Copy your AWS account ID into memory by clicking on your username at the top right and copy the account number.
        You will need your account number later in this procedure.
      2. Select ServicesManagement ToolsCloudTrailTrailsAdd new trail.
      3. Enter the Trail name prisma-saas-s3-trail.
      4. Set Apply trail to all Regions to Yes.
      5. In Data events, specify which S3 buckets you want Data Security to scan:
        • Individual buckets—Operates as an allow list and requires ongoing maintenance.
      6. To create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as prisma-saas-s3-<AWS account ID> in the Storage location area.
        Take note of the S3 bucket (CloudTrail bucket name) and region.
      7. Click Create.
    6. Next Step: Proceed to Onboard Sanctioned SaaS Apps to Data Security.

    Cross Account Scan Multiple Amazon S3 Accounts

    Learn how Data Security scans S3 buckets for multiple AWS accounts.
    To enable scanning of S3 buckets across multiple AWS accounts, you must configure AWS IAM policy, user, and role on the primary account, and then configure users, roles, policies and CloudTrail trails for both the primary and secondary accounts before you can add the Amazon S3 app to Data Security. The account in which all CloudTrail is stored is referenced as the primary account. All other accounts are referenced as secondary accounts.
    1. Configure CloudTrail logging on the primary account.
      1. Log in to your AWS Console aws.amazon.com.
      2. Select ServicesCloudTrailTrailsCreate Trail.
      3. Enter the Trail name prisma-saas-s3-primary-trail.
      4. Set Apply trail to all Regions to Yes.
      5. In Data events, specify which S3 buckets in your primary account you want Data Security to scan:
        • All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
        • Individual buckets—Operates as an allow list and requires ongoing maintenance.
      6. In the Storage location area, create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as prisma-saas-s3-<AWS account ID>.
        You can also use an existing bucket for the log storage location, if one exists.
    2. Configure a user in the primary account that will access each of the secondary accounts.
      1. Select ServicesIAM.
      2. Select UsersAdd user.
      3. Enter the user name as prisma-saas-s3-user.
      4. Select Programmatic access to generate an access key ID and secret access key for Data Security to use to access the Amazon S3 service.
      5. Select Next: Permissions.
      6. Create a user policy.
        1. Select Attach existing policies directlyCreate Policy. A new window will open. You will attach this policy to the user account that authorizes Data Security to scan the Amazon S3 accounts.
        2. Click the JSON tab and copy and paste the following configuration into the Policy Document section:
        {
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:Get*",
    "s3:List*",
    "s3:Put*",
    "s3:Delete*",
    "s3:CreateBucket",
    "iam:GetUser",
    "iam:GetRole",
    "iam:GetUserPolicy",
    "iam:ListUsers",
    "cloudtrail:GetTrailStatus",
    "cloudtrail:DescribeTrails",
    "cloudtrail:LookupEvents",
    "cloudtrail:ListTags",
    "cloudtrail:ListPublicKeys",
    "cloudtrail:GetEventSelectors",
    "ec2:DescribeVpcEndpoints",
    "ec2:DescribeVpcs",
    "config:Get*",
    "config:Describe*",
    "config:Deliver*",
    "config:List*"
   ],
   "Resource": "*"
  },
  {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": "arn:aws:iam::111111111:role/prisma-saas-s3-cross-account-access-role"
  },
  {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": "arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role"
  },
  {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": "arn:aws:iam::333333333:role/prisma-saas-s3-cross-account-access-role"
  }
 ]
}
        This policy document has three pseudo secondary accounts 222222222,111111111,333333333 referenced in it. You will need to edit the policy to reflect the account numbers of each of your secondary accounts.
      7. Click Review Policy and enter the Policy Name as prisma-saas-s3-primary-policy and provide an optional description of the policy.
      8. Click Create Policy.
      9. Refresh the first window and select prisma-saas-s3-primary policy, and click NextReview and then Create User.
        Note the Access key ID and Secret access key for the user. You will need these numbers later in this setup.
      10. Click Close.
    3. Configure the CloudTrail bucket in the primary account to give CloudTrail service access to each secondary account prefix.
      1. Log in to your AWS Console aws.amazon.com.
      2. Select ServicesS3.
      3. Select the CloudTrail S3 bucket you just created, for example prisma-saas-s3-[aws account id].
      4. Select PermissionsBucket Policy.
      5. Verify that the bucket policy has a Statement to Allow Action S3:PutObject for the primary account prefix, for example, “Resource”: “arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*”,
      6. Modify this resource entry to add the account prefix for each secondary account, similar to the following:
        	"Resource": 
	[              
	"arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*",              
	"arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/111111111/*",              
	"arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/222222222/*",              
	"arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/333333333/*"          
	],
      7. Save the resource modification.
    4. Configure a role and an associated policy on each secondary account.
      1. Log in to your AWS Console aws.amazon.com.
      2. Configure an IAM role by selecting IAMRolesCreate Role.
      3. Select Another AWS Account Type as type of trusted entity.
      4. Enter the AWS account number of your primary account in Specify accounts that can use this role. Leave the other Options unchecked and select Next: Permissions.
      5. Click Create Policy and a new window will open.
      6. Click the JSON tab and copy and paste the following configuration into the Policy Document section:
        	{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*",
                "s3:Delete*",
                "s3:CreateBucket",
                "iam:GetUser",
                "iam:GetRole",
                "iam:GetUserPolicy",
                "iam:ListUsers",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:DescribeTrails",
                "cloudtrail:LookupEvents",
                "cloudtrail:ListTags",
                "cloudtrail:ListPublicKeys",
                "cloudtrail:GetEventSelectors",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs",
                "config:Get*",
                "config:Describe*",
                "config:Deliver*",
                "config:List*"
            ],
            "Resource": "*"
        }
    ]
}
      7. Click Review Policy and enter the Policy Name as prisma-saas-s3-secondary-policy and provide an optional description of the policy.
      8. Click Create Policy.
      9. Refresh the policy window and select prisma-saas-S3-secondary-policy.
      10. Select Next: Review and enter the role name prisma-saas-s3-cross-account-access-role.
      11. Create the role by entering in Role name. Before creating the role, verify the following:
        1. Trusted entities contain the primary account number.
        2. prisma-saas-s3-secondary-policy displays in Policies.
        3. When verification is complete, click Create Role.
      12. Select the role just created and copy the role ARN into memory (for example arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role). You will need the role ARN later in this procedure.
    5. Configure CloudTrail on each secondary account to associate with the primary account.
      1. Select ServicesCloudTrailTrailsCreate trail.
      2. Enter the Trail name prisma-saas-s3-secondary-trail.
      3. Set Apply trail to all Regions to Yes.
      4. In Data events, specify which S3 buckets in your secondary account you want Data Security to scan:
        • All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
        • Individual buckets—Operates as an allow list and requires ongoing maintenance.
      5. To configure a bucket in which CloudTrail will store management and data event logs for this account, enter the bucket name of the CloudTrail bucket in the primary account, for example prisma-saas-s3-<AWS account ID> in the Storage location area and click Create.
    6. Next Step: Add the Amazon S3 App.

    Add the Amazon S3 App

    Add the Amazon S3 app to begin scanning your assets in S3 buckets with Data Security.
    After you set up your scan configuration for a single AWS account or for multiple AWS accounts, add the Amazon S3 app to Data Security to begin scanning your new Amazon S3 app for policy violations.

    Add Amazon S3 App

    There are two methods to set up the Amazon S3 app on Data Security based on whether you are configuring a single account or multiple accounts.
    1. To add the Amazon S3 app to Data Security, go to Data SecurityApplicationsAdd ApplicationAmazon S3.
    2. Connect a single AWS account, if applicable.
      1. Connect a single AWS account by clicking Connect to Account.
      2. Enter the Access Key ID and Secret Access Key that you noted earlier when you completed the worksheet for your app scan.
      3. Enter the CloudTrail Bucket Name (S3 bucket name) to the default exclusion list.
        Because S3 allows your bucket to be used as a URL that can be accessed publicly, the bucket name that you choose must be globally unique. If some other account has already created a bucket with the name that you chose, you must use another name.
      4. Enter the AWS Account ID.
        To find your AWS account ID number on the AWS Management Console, select Support on the navigation bar on the upper-right, and then select Support Center. Your signed-in account ID displays in the upper-right corner below the Support menu.
      5. Select the Region.
      6. Click OK. Data Security adds the Amazon S3 app to the list of Cloud Apps.
    3. Connect multiple AWS accounts, if applicable.
      AWS enables you to combine CloudTrail log files from multiple AWS regions and separate accounts into a single S3 bucket. Aggregating your log files in a single bucket simplifies storage and management of your Trails.
      1. Enter the Primary Account Access Key ID and Primary Account Secret Access Key that you noted earlier when you completed the worksheet for your app scan.
      2. Enter the Primary AWS Account ID.
        To find your AWS account ID number on the AWS Management Console, select Support on the navigation bar on the upper-right, and then select Support Center. Your signed-in account ID displays in the upper-right corner below the Support menu.
      3. Enter the Shared IAM Role.
        The shared IAM role delegates access to resources in different AWS accounts that you own (Production and Development). By configuring cross-account access with a role, you don't need to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.
      4. Enter the Primary CloudTrail Bucket Name (S3 bucket name).
        Because S3 allows your bucket to be used as a URL that can be accessed publicly, the bucket name that you choose must be globally unique. If some other account has already created a bucket with the name that you chose, you must use another name.
      5. Select the Primary CloudTrail Bucket Region.
      6. In Secondary Account Configuration select a CloudTrail configuration:
        • Centralized CloudTrail— logging for all AWS accounts goes to a single CloudTrail bucket in the primary account. Enter one Amazon account per line with no delimiters.
        • Distributed CloudTrail— logging for each AWS account goes to a separate CloudTrail bucket in the account’s location. Enter one Amazon Account: Bucket Name: Region per line with a colon ( : ) as a delimiter.
        If you are configuring both centralized and distributed CloudTrails, use Distributed CloudTrail.
      7. Click OK to add the Amazon S3 app to the list of Cloud Apps on Data Security.
    4. Next Step: Proceed to Customize Amazon S3 App.

    Customize Amazon S3 App

    Customizations include modifying Amazon S3 app name.
    1. Select the Amazon S3 link on the Cloud Apps list.
    2. Enter a descriptive Name to differentiate this instance of Amazon S3 from other instances you are managing.
    3. Click Done to save your changes.
    4. Next Step: Proceed to Identify Risks.

    Identify Risks

    When you add a new cloud app, then enable scanning, Data Security automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
    1. Start scanning the new Amazon S3 app for risks.
    2. Monitor the scan results.
      During the discovery phase, as Data Security scans files and matches them against enabled policy rules, verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to next step to improve your results.
    3. Add policy rules.
      When you add a new cloud app, Data Security automatically scans the app against the default data patterns and displays the match occurrences. As a best practice, consider the business use of your app to determine whether you want to Add a New Data Asset Policy to look for incidents unique to the assets in the new app.
    4. (Optional) Configure or edit a data pattern.
      You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
    5. If you selected All buckets for inclusion, but do not intend to specify specific buckets for exclusion, start scanning the new Amazon S3 app for risks.
    6. Review exposure details.
      1. To get more details on the exposure, select a Bucket to view the S3 Share Settings. This view displays the bucket policy and access control lists (ACL) with a link to the asset in the associated bucket so that you can get more context into the exposure.

    Exclude Amazon S3 Buckets from Scans

    Learn how Data Security enables you to create a custom list of S3 buckets to exclude archived data from asset scans.
    Data Security enables you to exclude specific S3 buckets from scans to meet your organization’s compliance needs. Sometimes organizations designate specific S3 buckets to store data that is not in use before that data moves to cold storage (for example, Amazon Glacier). If you have compliance reporting demands when such data is accessed, you can omit that data from scans.
    Data Security has two exclusion lists:
    • Default exclusion list—S3 buckets that Data Security automatically excludes from scans. CloudTrail logging enables the Amazon S3 to log management and data events to the CloudTrail buckets. Data Security depends on the CloudTrail to identify changes in the S3 account and buckets. Your log events do not display as assets in the Data Security web interface because the bucket that you specify in CloudTrail Bucket Name or Primary CloudTrail Bucket Name during onboarding will not be scanned. These bucket names display in the SaaS Security web interface under Buckets Ignored.
    • Custom exclusion list—S3 buckets that you manually exclude from scans. If you specify All S3 buckets during single account or multiple accounts onboarding, you have the option to add a custom list of S3 buckets for exclusion.
    In order for Data Security to enforce your custom exclusion list, you must add the bucket names after you onboard the Amazon S3 app—but before you start scanning. Otherwise, absent any bucket names, Data Security scans All S3 buckets, then displays those unwanted assets in the SaaS Security web interface. If you add the bucket names after the scan begins, Data Security stops scanning those buckets moving forward, but those unwanted assets remain in Data Security. To remove those assets, you must delete the Amazon S3 app and repeat the onboarding process. Similarly, you can delete a bucket name from exclusion, but previously discovered assets remain unless you delete the cloud app.
    1. Log in to SaaS Security
    2. Select SettingsCloud Apps & Scan Settings.
    3. Click on the Amazon S3 app that you added.
    4. Specify a comma-separated list of bucket names in Custom List of Buckets to Exclude, then Add.
    5. Next Step: Start scanning, when you’re ready for Data Security to discover your assets.

    © 2025 Palo Alto Networks, Inc. All rights reserved.