This article explains how to configure the connector for Amazon S3, so that data generated from Cato can be securely stored.
To minimize data exposure and ensure compliance with regulatory requirements, you can create an integration with a third party for the storage of the evidence files.
This is supported for storing data from DLP policy violations. For more information, see Investigating DLP Violations with Forensic Evidence.
To configure the integration, you need to:
- Configure the integration storage application
- Create the API connector in the CMA
To configure the Amazon S3 integration, create the required configurations in the Amazon S3 Console, then configure the connector within the CMA.
Create a new S3 bucket and define the policy that allows it to receive data. Then, define the IAM role for the S3 bucket with Cato's role ARN to set the bucket permissions to allow Cato to upload data to the bucket.
Note
Notes:
- Only regions for S3 buckets where Security Token Service (STS) is active are supported. For more information about enabling STS for a region, see the relevant AWS documentation.
- The China S3 region is not supported.
- If access to the third-party service is limited to specific IP addresses, please refer to this article for the list of Cato IP addresses that you need to allow (you must be signed in to view this article).
To configure the Amazon S3 Integration:
-
Login to the Amazon S3 Console (https://console.aws.amazon.com/s3/)
-
Create a new S3 bucket with the appropriate AWS Region.
For more information, see the AWS documentation.
- Create a new IAM policy for the S3 bucket that allows uploading data to the bucket.
-
In the policy, click the JSON tab, and copy the Cato JSON below.
Edit the JSON and add the name for the S3 bucket, and then paste it in the tab.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::BUCKET-NAME" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::BUCKET-NAME/*" ] } ] } -
Review the settings for the policy and click Create policy.
-
Create a new IAM role with Cato's ARN to allow Cato to upload events for your account to the S3 bucket.
-
In the Select trusted entity screen, add Cato's ARN to the role:
arn:aws:iam::428465470022:role/cato-forensics-integration{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::428465470022:role/cato-forensics-integration" }, "Condition": {"StringEquals": {"sts:ExternalId": "<CMA Account ID>"}}, "Action": "sts:AssumeRole" } ] } - Click Next.
-
In the Add permissions screen, attach the policy that you created in step 4 to the role and click Next.
-
Enter the Role name and click Create role.
The AWS S3 bucket is ready to integrate with your Cato account.
-
After you have set up an integration with the required application, add the details in the CMA.
To create the API connector in the CMA:
- From the navigation menu, click Resources > Integrations.
- Click the Integrated Apps tab.
-
Click New.
The New Integration panel opens.
- In the SaaS Application drop-down, select Amazon S3.
-
Add these details:
- Auth: AWS Assume Role
- Name: The name for this integration
- Description: (Optional) Add a description
- Role ARN: The Role ARN for your Amazon account. You can find this in your AWS Management Console under IAM > Roles
- Region: The region you configured in Step 1
- Bucket: The name of the Bucked you configured in Step 1
- Folder Path: Choose the path of the folder. If no folder exists, a new one is created
- Click Save.
- The app is visible on the Integrated Apps table with a Connected status.
0 comments
Article is closed for comments.