Scan a Single Amazon S3 Account

Learn how SaaS Security API scans S3 buckets for a single AWS account.
To enable scanning of S3 buckets for a single AWS account, you must configure AWS IAM policy, user, role, and CloudTrail logging before you can add the Amazon S3 app to SaaS Security API. Alternatively, you can Cross Account Scan Multiple Amazon S3 Accounts.
  1. Log in to your AWS Console
  2. Select
    Security, Identity & Compliance
  3. Configure the SaaS Security API policy used to connect to the Amazon S3 app.
    1. Select
      Create policy
      and then select
      Create Your Own Policy
    2. Enter the
      Policy Name
      and provide an optional description of the policy.
    3. Copy and paste the following configuration into the
      Policy Document
      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*", "s3:CreateBucket", "iam:GetUser", "iam:GetRole", "iam:GetUserPolicy", "iam:ListUsers", "cloudtrail:GetTrailStatus", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "cloudtrail:ListTags", "cloudtrail:ListPublicKeys", "cloudtrail:GetEventSelectors", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "config:Get*", "config:Describe*", "config:Deliver*", "config:List*" ], "Resource": "*" } ]}
    4. Click
      Create Policy
  4. Configure the account that SaaS Security API will use to access the Amazon S3 logs:
    1. Select
      Add user
    2. Enter the user name as
    3. To generate an access key ID and secret access key for SaaS Security API to use to access the Amazon S3 service, enable Programmatic access.
    4. Select
      Next: Permissions
    5. Select Attach existing policies directly.
    6. Search for and select the check box next to the prisma-saas-s3-policy you created in the previous step.
    7. Click
      Next: Review
      Create User
      Note your
      Access key ID
      Secret access key
    8. Click
  5. Configure CloudTrail logging, if you have not already done so.
    CloudTrail logging enables the Amazon S3 app to log management and data events to the CloudTrail buckets of your choice.
    1. Copy your AWS account ID into memory by clicking on your username at the top right and copy the account number.
      You will need your account number later in this procedure.
    2. Select
      Management Tools
      Add new trail
    3. Enter the Trail name
    4. Set
      Apply trail to all Regions
    5. In
      Data events
      , specify which S3 buckets you want SaaS Security API to scan:
      • Individual buckets—Operates as an allow list and requires ongoing maintenance.
    6. To create a bucket in which CloudTrail will store management and data event logs, enter the
      S3 bucket
      name as
      <AWS account ID>
      in the
      Storage location
      Take note of the S3 bucket (CloudTrail bucket name) and region.
    7. Click

Recommended For You