Cross Account Scan Multiple Amazon S3 Accounts

Learn how SaaS Security API scans S3 buckets for multiple AWS accounts.
To enable scanning of S3 buckets across multiple AWS accounts, you must configure AWS IAM policy, user, and role on the primary account, and then configure users, roles, policies and CloudTrail trails for both the primary and secondary accounts before you can add the Amazon S3 app to SaaS Security API. The account in which all CloudTrail is stored is referenced as the primary account. All other accounts are referenced as secondary accounts.
  1. Configure CloudTrail logging on the primary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select
      Services
      CloudTrail
      Trails
      Create Trail
      .
    3. Enter the Trail name
      prisma-saas-s3-primary-trail
      .
    4. Set
      Apply trail to all Regions
      to
      Yes
      .
    5. In
      Data events
      , specify which S3 buckets in your primary account you want SaaS Security API to scan:
      • All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
      • Individual buckets—Operates as an allow list and requires ongoing maintenance.
    6. In the
      Storage location
      area, create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      prisma-saas-s3-
      <AWS account ID>
      .
      You can also use an existing bucket for the log storage location, if one exists.
  2. Configure a user in the primary account that will access each of the secondary accounts.
    1. Select
      Services
      IAM
      .
    2. Select
      Users
      Add user
      .
    3. Enter the user name as
      prisma-saas-s3-user
      .
    4. Select
      Programmatic access
      to generate an access key ID and secret access key for SaaS Security API to use to access the Amazon S3 service.
    5. Select
      Next: Permissions
      .
    6. Create a user policy.
      1. Select
        Attach existing policies directly
        Create Policy
        . A new window will open. You will attach this policy to the user account that authorizes SaaS Security API to scan the Amazon S3 accounts.
      2. Click the
        JSON
        tab and copy and paste the following configuration into the
        Policy Document
        section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111111111:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::333333333:role/prisma-saas-s3-cross-account-access-role" } ] }
      This policy document has three pseudo secondary accounts 222222222,111111111,333333333 referenced in it. You will need to edit the policy to reflect the account numbers of each of your secondary accounts.
    7. Click
      Review Policy
      and enter the
      Policy Name
      as
      prisma-saas-s3-primary-policy
      and provide an optional description of the policy.
    8. Click
      Create Policy
      .
    9. Refresh
      the first window and select
      prisma-saas-s3-primary policy
      , and click
      Next
      Review
      and then
      Create User
      .
      Note the
      Access key ID
      and
      Secret access key
      for the user. You will need these numbers later in this setup.
    10. Click
      Close
      .
  3. Configure the CloudTrail bucket in the primary account to give CloudTrail service access to each secondary account prefix.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select
      Services
      S3
      .
    3. Select the CloudTrail S3 bucket you just created, for example
      prisma-saas-s3-[aws account id].
    4. Select
      Permissions
      Bucket Policy
      .
    5. Verify that the bucket policy has a
      Statement to Allow Action S3:PutObject
      for the primary account prefix, for example,
      “Resource”: “arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*”,
    6. Modify this resource entry to add the account prefix for each secondary account, similar to the following:
      "Resource": [ "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/[aws account id]/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/111111111/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/222222222/*", "arn:aws:s3:::prisma-saas-s3-[aws account id]/AWSLogs/333333333/*" ],
    7. Save
      the resource modification.
  4. Configure a role and an associated policy on each secondary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Configure an IAM role by selecting
      IAM
      Roles
      Create Role
      .
    3. Select
      Another AWS Account Type
      as type of trusted entity.
    4. Enter the AWS account number of your primary account in
      Specify accounts that can use this role
      . Leave the other
      Options
      unchecked and select
      Next: Permissions
      .
    5. Click
      Create Policy
      and a new window will open.
    6. Click the
      JSON
      tab and copy and paste the following configuration into the
      Policy Document
      section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ] }
    7. Click
      Review Policy
      and enter the
      Policy Name
      as
      prisma-saas-s3-secondary-policy
      and provide an optional description of the policy.
    8. Click
      Create Policy
      .
    9. Refresh
      the policy window and select
      prisma-saas-S3-secondary-policy
      .
    10. Select
      Next: Review
      and enter the role name
      prisma-saas-s3-cross-account-access-role
      .
    11. Create the role by entering in
      Role name
      . Before creating the role, verify the following:
      1. Trusted entities
        contain the primary account number.
      2. prisma-saas-s3-secondary-policy
        displays in
        Policies
        .
      3. When verification is complete, click
        Create Role
        .
    12. Select the role just created and copy the role ARN into memory (for example
      arn:aws:iam::222222222:role/prisma-saas-s3-cross-account-access-role
      ). You will need the role ARN later in this procedure.
  5. Configure CloudTrail on each secondary account to associate with the primary account.
    1. Select
      Services
      CloudTrail
      Trails
      Create trail
      .
    2. Enter the Trail name
      prisma-saas-s3-secondary-trail
      .
    3. Set
      Apply trail to all Regions
      to
      Yes
      .
    4. In
      Data events
      , specify which S3 buckets in your secondary account you want SaaS Security API to scan:
      • All S3 buckets—Enables you to include current and future buckets without maintenance. With this option, you can exclude buckets later in the SaaS Security web interface.
      • Individual buckets—Operates as an allow list and requires ongoing maintenance.
    5. To configure a bucket in which CloudTrail will store management and data event logs for this account, enter the bucket name of the CloudTrail bucket in the primary account, for example
      prisma-saas-s3-
      <AWS account ID>
      in the
      Storage location
      area and click
      Create
      .

Recommended For You