Enable SaaS API Data Loss Prevention for AWS Tenants

To apply DLP SaaS API rules to files in an AWS tenant, you must authorize the tenant using the procedure described below. Once the tenant is authorized, for each file residing in the tenant, when the system finds data in violation of an enabled SaaS API rule it will enforce the action of that rule. To enable this feature:

1. Enable CloudTrail Event Logging for S3 Buckets and Objects from the AWS console. (You need only enable this feature once for your account; you need not do it for each AWS tenant you authorize.)
2. Authorize an AWS Tenant in Secure Access.
3. Create an AWS Stack from the AWS console.

An AWS account can support at most one Cloud Malware tenant and one SaaS API DLP tenant at the same time. You cannot authorize multiple SaaS API DLP tenants for a single AWS account.

Table of Contents

• Prerequisites
• Limitation
• Enable CloudTrail Event Logging for S3 Buckets and Objects
• Obtain Your AWS Account ID
• Authorize an AWS Tenant
• Create an AWS Stack
• Revoke Authorization

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• You must have an active AWS tenant and the person doing the installation must be an AWS Administrator.
• You must Enable CloudTrail Event Logging for S3 Buckets and Objects from the AWS console. (You need enable this feature only once for your account; you need not do it for each AWS tenant you authorize.)
• You must Obtain your AWS Account ID .
• Chrome or Firefox (recommended) with pop-up blockers and ad blockers disabled (only for the duration of authorization).

Limitation

• A tenant that fails to authenticate cannot be deleted.

Enable CloudTrail Event Logging for S3 Buckets and Objects

We require that you enable CloudTrail event logging to provide you with a record of activities in your AWS account. You need enable this feature only once for your account; you need not do it for each AWS tenant you authorize.

1. In the AWS console, navigate to CloudTrail and choose Create Trail.

2. Provide a meaningful Trail name for your trail.
3. Under Events, choose Data Events to log data events.
4. For Storage location, choose Use existing S3 bucket, and choose Browse to choose an S3 bucket in your account.
5. You may optionally choose to enable Log file SSE KMS encryption for your log files. (If you choose this option, see Step 11.)
6. On theChoose log events page, choose Data events.
7. For Data event source choose S3.
8. You can choose from:

• Log all current and future S3 buckets (This is the default.)

Choose to log Write events.

• Individual bucket selection (This can be a more economical choice.)

Browse for existing buckets and click Add bucket to log data events for each. Choose to log Write events.

9. For the remaining options in the CloudTrail creation wizard, choose the settings appropriate to your environment.
10. On the Review and Create page, review your choices and Edit if necessary. Then click Create Trail.
11. If in Step 5 you chose to enable Log file SSE KMS encryption for your log files, grant permission for the encryption key to the role CiscoSecureAccessScanner. In the AWS console, under Key Management Service (KMS) > Customer managed keys > Key ID > Edit key policy, add a statement to grant permission for the role CiscoSecureAccessScanner.
12. If your S3 buckets have restrictive policies associated with them, add statements to those policies to grant the role CiscoSecureAccessScanner access to those buckets. In the AWS console, see Amazon S3 > Buckets > Bucket Name > Permissions > Bucket Policy.

Obtain Your AWS Account ID

1. Log in to the AWS Management Console with an Admin account.
2. In the navigation bar at the upper right, click on your user name. The account ID is displayed above your user name.
3. Click the Copy icon to the right of the Account ID to copy it.

Authorize an AWS Tenant

1. Navigate to Admin > Authentication.
2. Under Platforms, click to expand AWS S3.
3. In the DLP subsection, click Authorize New Tenant to add an AWS tenant to your Secure Access environment.

4. In the AWS S3 Authorization dialog, click Download CloudFormation Template to download an AWS CloudFormation template (aws-cisco-template.json). Save the template to your local machine, then Create an AWS Stack before proceeding to the next step.

Note: If you enable both DLP and Cloud Malware protection for a tenant, a single stack can serve for both purposes. If you have already created an AWS stack for Cloud Malware protection, you need not create another.

5. In the AWS S3 Authorization dialog, check the checkboxes to verify you have created an AWS stack and then click Next.

6. Enter a name for your tenant that is meaningful within your environment, then click Next.

7. Paste your AWS Account ID in the text box, confirm that you have used the CloudFormation template to create an AWS stack, and click Done. (It may be up to 24 hours for the integration to be confirmed and appear as Authorized on the Authentication page.)

Create an AWS Stack

Secure Access requires an AWS stack to monitor and communicate with your S3 resources. If you have more than one AWS tenant, you will need a stack for each tenant. If you enable both DLP and Cloud Malware protection for a tenant, a single stack can serve for both purposes.

NOTE: If you enable both DLP and Cloud Malware protection for an AWS tenant, and then disable one of those two forms of protection, you must leave the stack intact to support the remaining protection.

Important:Perform this task after you have downloaded a CloudFormation Template in Step 4 of Authorize an AWS Tenant. Once you have created the stack, return to Step 5 of that task.

For more information about AWS Stacks, see the Amazon AWS Cloud Formation User Guide.

1. Log in to the AWS Management Console with an Admin account.
2. In the AWS console, navigate to CloudFormation > Stacks and choose Create new stack > With new resources.

3. On the Create stack page, under Prerequisite - Prepare template, select Choose an existing template.

4. On the Create stack page, under Specify template, select Upload a template file, then click Choose file and navigate to and select the JSON file (aws-cisco-template.json) on your local system which you downloaded when you authorized the AWS tenant in Secure Access.

5. (Optional) Click View in Application Composer to open a new tab displaying a graphical representation of the stack deployment.
6. Click Next.
7. For the remaining options in the stack creation wizard, choose the settings appropriate to your environment. We recommend the following best practices:

   • Provide a stack name that is meaningful within your environment.
   • Under Stack failure options, choose Role back stack resources and Delete all newly created resources.

8. Acknowledge that AWS CloudFormation may create IAM resources with custom names within your AWS account.

9. Click Submit.
10. In the AWS console the status of all stack in your account is displayed under CloudFormation > Stacks. Wait until the status for your new stack is displayed as CREATE_COMPLETE.
11. Continue with Step 5 of Authorize an AWS Tenant.

Revoke Authorization

1. Navigate to Admin > Authentication.
2. In the Platforms section, click AWS S3.
3. Under Action column,, click Revoke. You can revoke any authorized tenant.

4. Confirm to proceed. The selected account is no longer authorized.

Consider deleting the AWS stack you created if it is not needed for other purposes.

---

Manage SaaS API Data Loss Prevention < Enable SaaS API Data Loss Prevention for AWS Tenants > Enable SaaS API Data Loss Prevention for Azure Tenants