Skip to main content
Skyhigh Security

Data Storage for Amazon Web Services

Save EvidenceSave Evidence is an advanced DLP feature that requires entitlement to a separate add-on SKU. Contact Skyhigh Support or your account manager for assistance.  

The Policy Settings Data Storage tab allows you to configure data storage settings for Match Highlighting, Connected Apps NotesIncident Notes, End-User Remediation, and Web Evidence.

To store your data, you can use Microsoft Azure, IBM Cloud, Amazon Web Services (AWS), or Skyhigh

Configure Data Storage in Skyhigh CASB

To configure data storage for AWS:

  1. Go to Policy > Policy Settings
  2. Select the Data Storage tab.
    clipboard_e1ed74f456d71df725d64d7b57ee9f4ff.png
  3. Under Data Store, select Your Own

NOTE: Web Evidence files can only be stored if you select Your Own storage. Currently, you can store your web evidence files only on AWS. For details on how to save your web evidence files, see Save DLP Evidence.

  1. From Data Store Provider, select Amazon Web Services (AWS)
  2. Take note of the Skyhigh Security Cloud AWS ID and External ID. You will need these to enter this information in AWS.
  3. In AWS, create a new S3 Bucket. 

NOTE: To save the cloud storage configuration for any tenant, it is necessary that versioning should be enabled on the bucket. For details, see AWS S3.

  1. Create a new IAM policy and give it the following permissions. Make sure to replace "bucket-name" with the bucket name you created. 
    
    {
        "Statement": [{
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation",
                    "s3:ListBucketMultipartUploads",
                    "s3:ListBucketVersions",
                    "s3:GetBucketVersioning"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::bucket-name"
                ]
            }, {
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:AbortMultipartUpload",
                    "s3:ListMultipartUploadParts",
                    "s3:DeleteObjectVersion"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::bucket-name/*"
                ]
            }
        ],
        "Version": "2012-10-17"
    }
    
    
  2. Name the policy SKYHIGH_S3_Storage_Policy.
  3. Create a new IAM Role using type Another AWS account
  4. For Account ID and External ID, use the information from the Skyhigh CASB Data Storage tab, then click Next: Permissions

aws_IAM_role_6.2.1.png

  1. Attach the SKYHIGH_S3_Storage_Policy policy to this new IAM role.
    aws_attach_role_6.2.1.png
  2. Click Next. Skip the Tabs page. 
  3. Enter the role name SKYHIGH_S3_Storage_Role.
    aws_apply_role_6.2.1.png
  4. Click Create role
  5. From the AWS Roles page, select SKYHIGH_S3_Storage_Role.
  6. Copy the Role ARN to the clipboard.
    aws_role_arn_6.2.1.png
  7. In Skyhigh CASB on the Policy Settings > Data Storage tab, enter the AWS S3 Bucket name. 
  8. Enter the AWS Role ARN.
  9. Select the Region from the menu where the S3 bucket was created. 
  10. Click Test Connection, and look for the success notification. 

IMPORTANT: If the test fails, DO NOT PROCEED. Make sure that the AWS Account ID and External ID are entered correctly in the IAM Role. Also, make sure the AWS Region is correct. For help, contact Skyhigh CASB Support

  1. When the test is successful, click Save

Additional JSON Permission Policies

These are additional JSON permissions if you need to lock down the permission to a single Skyhigh CASB IP address for additional security.

For a list of Skyhigh CASB egress device IP addresses, contact Support

Goal JSON
Lock down to a single S3 bucket and source IP .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:List*",
                "s3:Delete*"
                ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [ 

"XXX.XXX.XXX.XXX/32"
"YYY.YYY.YYY.YYY/32",
 

                    ]


                }
            },
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

 

  • Was this article helpful?