Scan a Single Amazon S3 Account

Learn how SaaS Security API scans S3 buckets for a single AWS account.
To enable scanning of S3 buckets for a single AWS account, you must configure AWS IAM policy, user, role, and CloudTrail logging before you can add the Amazon S3 app to SaaS Security API. Alternatively, you can Cross Account Scan Multiple Amazon S3 Accounts.
  1. Log in to your AWS Console aws.amazon.com.
  2. Select
    Services
    Security, Identity & Compliance
    IAM
    .
  3. Configure the SaaS Security API policy used to connect to the Amazon S3 app.
    1. Select
      Policies
      Create policy
      and then select
      Create Your Own Policy
      .
    2. Enter the
      Policy Name
      as
      prisma-saas-s3-policy
      and provide an optional description of the policy.
    3. Copy and paste the following configuration into the
      Policy Document
      section:
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ]}
    4. Click
      Create Policy
      .
  4. Configure the account that SaaS Security API will use to access the Amazon S3 logs:
    1. Select
      Users
      Add user
      .
    2. Enter the user name as
      prisma-saas-s3-user
      .
    3. To generate an access key ID and secret access key for SaaS Security API to use to access the Amazon S3 service, enable Programmatic access.
    4. Select
      Next: Permissions
      .
    5. Select Attach existing policies directly.
    6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
    7. Click
      Next: Review
      Create User
      .
      Note your
      Access key ID
      and
      Secret access key
      .
    8. Click
      Close
      .
  5. Configure CloudTrail logging, if you have not already done so.
    CloudTrail logging enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
    1. Copy your AWS account ID into memory by clicking on your username at the top right and copy the account number.
      You will need your account number later in this procedure.
    2. Select
      Services
      Management Tools
      CloudTrail
      Trails
      Add new trail
      .
    3. Enter the Trail name
      prisma-saas-s3-trail
      .
    4. Set
      Apply trail to all Regions
      to
      Yes
      .
    5. In
      Data events
      , specify which S3 buckets you want SaaS Security API to scan:
      • Individual buckets—Operates as an allow list and requires ongoing maintenance.
    6. To create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      prisma-saas-s3-
      <AWS account ID>
      in the
      Storage location
      area.
      Take note of the S3 bucket (CloudTrail bucket name) and region.
    7. Click
      Create
      .

Recommended For You