AWS S3
This section covers the following topics:
Prerequisites
| Component | Description |
|---|---|
| Proxy Agent | • Direct Internet Access • Cloud service-specific access key • Recommended Proxy Agents: • Windows Agent • Linux Agent |
| TCP Allowed Connections | Port 443 |
Encryption Methods
DDC supports Amazon S3 Buckets that use the following encryption methods:
- Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
- Server-side encryption with AWS KMS-managed keys (SSE-KMS)
Get AWS S3 Access Keys
You require AWS S3 account access key (and associated secret access key) to add AWS S3 data store in DDC for scanning.
To get AWS S3 access key:
Log on to AWS Console.
On the top left corner, click Services > IAM > Users.
Search and select the IAM user with the following access permissions:
ListAllMyBuckets
ListBucket
GetBucketLocation
GetObject
You can check the user's permission under Permissions tab. If you cannot find a user with the required permissions, create a new user.
Go to Security Credentials > Access keys and note down the access key ID.
Each access key has an associated secret access key. The secret access key is provided to the user at the time of key creation.
If there are no access key listed, create a new access key.
Create New User
Click IAM > Users > Create user.
Enter the user name and click Next.
Under Permissions options, select Attach policies directly option.
Under Permissions policies, select an existing policy having required access permissions to the Amazon S3 Buckets. Or, create a new permission policy.
Under Review and create, click Create user.
Create Access Key
You can have a maximum of two access keys at a time.
To create an access key:
In the Access keys section, click Create access key.
Under Access key best practices & alternatives, select Other and click Next.
You can choose any option as per your requirements. In this use case, Others is selected for long-term access key.
(Optional) Under Set description tag, add a description for the access key.
Click Create access key.
Access and Secret Access keys are created.
Click Download .csv file to download and save the access key and secret access key.
Caution
Once the Retrieve access key page is closed, you cannot access the secret access keys.
Click Done.
Create Policy
Click Create policy.
On the Specify permissions page, use the Visual or JSON editor to add the following permissions:
ListAllMyBuckets
ListBucket
GetBucketLocation
GetObject
Example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": "*" } ] }Click Next.
On Review and create page, enter the policy name and click Create policy.
The new user policy is created and will display under Permissions policies.
Delete/Deactivate Access key
You can deactivate or delete AWS S3 access keys for a user account.
In the AWS console, click Services > IAM service > Users.
Select the desired user and go to Security Credentials tab.
The Access keys section displays the existing keys.
Do one of the following:
To deactivate an access key:
- Select Deactivate from the Actions dropdown of the desired access key.
Note
A deactivated access key still counts toward your limit of two access keys.
To delete an access key:
Choose Delete from the Actions dropdown of the desired access key. Follow the instructions in the dialog to first Deactivate the key before deleting it.
In the Delete <Access Key> dialog, enter the access key ID.
Click Delete.
The access key is deleted. This enables the Create access key button for adding new access key.
Add AWS S3 Online Data Store
To configure the AWS S3 Online data store:
Log on to the CipherTrust Manager GUI.
Open the Data Discovery & Classification application.
Click Data Stores > Data Stores > Add Data Store. The Add Data Store wizard is displayed.
Complete the following steps:
Note
It is recommended to use IAM access keys instead of AWS root credentials.
Select Store Type
Under Select Data Store Category, select Cloud.
From Select Cloud Type, select AWS S3.
Click Next.
Configure Connection
Specify the credentials of the AWS S3:
Field Description Access Key ID Access Key ID obtained from your storage account administrator. Secret Access Key Secret Access Key ID obtained from your storage account administrator. (Optional) In the Select Number of Agents field, set the minimum and maximum number of agents for the data store. Refer to Agents for more information.
Warning
- As there is no limit on the number of minimum and maximum agents that you can set, you should exercise caution so that you do not impact the system performance by using too many resources for a single scan.
- You will not be able to add a datastore if the minimum number of agents cannot be assigned.
- A scan will fail if the assigned agent is unavailable after adding the datastore.
- The minimum number of agents must be less than or equal to the maximum number of agents.
(Optional) In the Add Label field, enter a label. You can also remove an existing label.
Click Next.
General Info
Specify the following details:
Name: Name for the data store.
Description (Optional): Description for the data store.
Location: Location of the data store. Refer to Managing Branch Locations for details.
Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details.
Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store.
Click Next.
Add Tags & Access Control
(Optional) Grant the
All groups (default)access for reports. Alternatively, select a group.Click Save.
The data store is added to the Data stores page. If the Ready to Scan column shows Ready, then data store is properly configured.
For more information on tags and access control, expand the section below.
Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:
ACCESS - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS - select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Add as many tags as needed.
To remove a tag, click the close icon in the tag name.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Add AWS S3 Scan
To add a scan for SharePoint Online:
Open the Data Discovery & Classification application.
Click Scans > Add Scan. The Add Scan wizard is displayed.
Complete the following steps:
Refer to Scans for the description of screens of the Add Scan wizard.
General Info
Specify a Name for the scan.
(optional) Add a Description for the scan.
Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details.
Click Next.
Select Data Stores
Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required.
Click Next.
Add Targets
To add a scan target, do one of the following:
Under the Add Target field, specify the correct target path and click Apply.
If no specific target is added, the entire data store will be scanned.
The following table lists target paths and syntax to specify them with examples.
Target Path to Scan Syntax Example Full Data Store <Empty_Path> Whole Bucket <BucketName> ddc-data Specific folder in Bucket <BucketName/folder_name> ddc-data/test1 Specific file in Bucket <BucketName/folder_name/filename> ddc-data/test1/emp-info.txt Note
Target paths are case-sensitive, except for the bucket name. Failure to use the correct case will result in a completed scan, but the report will not contain any match count for data objects and sensitive data.
Navigate and add target paths.
Click Browse to navigate target paths from the root level.
Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward.
In the left pane, navigate and select the desired target path.
Click Add Path to add the target path to the right pane. Similarly, add other target paths.
Click Add.
Tip
Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it.
Click Next.
Select Profiles
Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple profiles, if required. Refer to Classification Profiles for details on classification profiles.
Click Next.
Add Filters
This step is optional.
Select the desired filter from the Select Filter drop-down list.
To filter the locations to scan an AWS S3 data store, consider the following syntax.
Note
Exclude locations by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work.
Exclude locations by prefix
Excludes search locations and nested locations with paths that begin with a given string. It can be used to exclude entire directory trees. Specify
<string>.Filter Item Syntax Example Bucket <BucketName> ddctestdata
Wildcard usage
ddctestdata* — Applies all paths starting with 'ddctestdata' as prefix.Folder <BucketName>/<FolderName> ddctestdata/tests Sub folder <BucketName>/<FolderName>/<SubFolderName> ddctestdata/tests/data File <BucketName>/<FolderName>/<SubFolderName>/<File> ddctestdata/tests/data/file.txt Exclude locations by suffix
Excludes search locations and nested locations with paths that end with a given string. Specify
<string>.Filter Item Syntax Example Bucket <BucketName>* ddctestdata* — Applies all paths starting with 'ddctestdata' as suffix Folder <BucketName>/<FolderName>* ddctestdata/tests* — Applies all paths starting with 'ddctestdata/tests' as suffix. Sub folder <BucketName>/<FolderName>/<SubFolderName>* ddctestdata/tests/data* — Applies all paths starting with 'ddctestdata/tests/data' as suffix. File <FileName> file.txt
Wildcard usage
*.txt — Applies all paths ending with '.txt' as suffix.Exclude locations by expression
This filter is majorly used with wildcard characters.
Excludes search locations and nested locations that matches the given expression. Specify
<string>.For example, to exclude locations that contain 'blob' in their path, use expression *blob*.
Filter Item Syntax Example Bucket *<BucketName>* *ddctestdata* Folder *<FolderName>* *tests* Sub folder *<FolderName>/<SubFolderName>* *tests/data* File *<BucketName>/<FolderName>/<FileName>* or *<FileName>* *ddctestdata/tests/data/file1* or *file1* Include locations modified recently
Includes search locations modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date.
Exclude locations greater than file size
Excludes files that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB.
Include locations within modification date
Includes search locations modified within a given range of dates. After selecting this filter, specify the Start and End dates.
Click Apply.
Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter.
Click Next.
Schedule Run
Specify the scan run frequency. The two options are:
Manual: This is the default option. Select this option to run the scan manually. Select the Run Now check box to start the scan run after you save the changes.
Scheduled: Select this option to configure the scan to run automatically at the specified time.
Refer to Schedule Scan for more details on scheduling scan runs.
Click Save.
