Skip to main content

Privacera Documentation

Table of Contents

Enable Discovery Realtime Scanning Using IAM Role on PrivaceraCloud

In this topic, you will learn how to use IAM roles to configure AWS S3 service for realtime scanning.

Create an IAM role with AWS S3 permissions

  1. Log in to the AWS console.

  2. Go to Identity and Access Management (IAM) and navigate to Access management > Users/Groups/Roles.

  3. Create a role or edit an existing AWS IAM role. Refer to AWS documentation on how to create an IAM Role.

  4. Navigate to the role created or the role you are editing.

    1. Open the role.

      The role Summary page is displayed.

    2. Copy the Role ARN.

      Use the ARN in IAM Role ARN field when providing Application Properties details for the data source.

  5. Add a policy to AWS IAM role.

    1. Open the role you are editing.

    2. Click Permissions tab.

    3. On the Permissions Policies section, click Attach Policies or Add inline policy.

      The Create policy page is displayed.

    4. Click the JSON tab to add the policy and permissions.

      Refer to the following sample permission JSON for the role on S3 bucket. Ensure your have Get and List actions in the permissions policy of the role and enter the bucket name in bucket-name.

      Note

      You can scan multiple buckets in multiple regions or same region from a single IAM role that is configured as part of data source. This single IAM role should have access permission to access these buckets.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AllowAccountLevelS3Actions",
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListAllMyBuckets",
                      "s3:Get*"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "AllowListAndReadS3ActionOnMyBucket",
                  "Effect": "Allow",
                  "Action": [
                      "s3:Get*",
                      "s3:List*"
                  ],
                  "Resource": [
                      "arn:aws:s3:::bucket-name/*",
                      "arn:aws:s3:::bucket-name",
                      "arn:aws:s3:::bucket1-name/*",
                      "arn:aws:s3:::bucket1-name",
                      "arn:aws:s3:::bucket2-name/*",
                      "arn:aws:s3:::bucket2-name",
                      "arn:aws:s3:::bucket3-name/*",
                      "arn:aws:s3:::bucket3-name",
                      "arn:aws:s3:::bucket4-name/*",
                      "arn:aws:s3:::bucket4-name",
                      "arn:aws:s3:::bucket5-name/*",
                      "arn:aws:s3:::bucket5-name",
                      "arn:aws:s3:::bucket6-name/*",
                      "arn:aws:s3:::bucket6-name"
                  ]
              },
              {
                  "Sid": "AllowReadS3ActionOnMyQueue",
                  "Effect": "Allow",
                  "Action": [
                      "sqs:ReceiveMessage",
                      "sqs:DeleteMessage",
                      "sqs:GetQueueUrl"
                  ],
                  "Resource": [
                      "<ARN of SQS queue>"
                  ]
              }
          ]
      }

      Note

      Multiple buckets of the same region can be configured to a single SQS queue. Bucket should be mapped to the configured SQS queue in the above policy.

    5. Click Review policy.

      The Review policy section is displayed.

    6. Enter the policy Name and click Create policy.

  6. Establish IAM Role Trust Relationship with Discovery Data Access Role.

    1. Open the role role you are editing.

    2. Click the Trust relationships tab.

    3. Click Edit trust relationship.

    4. Refer to the following JSON to add a new policy document.

      { 
          "Version": "2012-10-17", 
          "Statement": [ 
              { 
                  "Effect": "Allow", 
                  "Principal": { 
                      "AWS": "arn:aws:iam::870790086151:role/DISCOVERY_PROD_DATA_ACCESS_ROLE", 
                      "Service": "s3.amazonaws.com" 
                  }, 
                  "Action": "sts:AssumeRole" 
              } 
      
          ] 
      
      }
    5. Click Update Trust Policy to save this revision.

Configure AWS S3 access using IAM role

Connect application

  1. Go to Settings > Applications.

  2. On the Applications screen, select .

  3. Enter the application Name and Description, and then click Save.

You can see  and  with the toggle buttons.

Note

If you don't see  in your application, enable it in Settings > Account > Discovery.

Enable

  1. Click the toggle button to enable  for your application.

  2. On the BASIC tab, enter values in the following fields.

    • With Use IAM Role disabled:

      1. AWS Access Key: AWS data repository host account Access Key.

      2. AWS Secret Key: AWS data repository host account Secret Key.

      3. AWS Region: AWS S3 bucket region.

        For the first time, real-time discovery is disabled.

    • With  Use IAM Role enabled:

      1. IAM Role ARN: Enter the actual IAM Role using a full AWS ARN.

      2. AWS Region: AWS S3 bucket region.

  3. On the ADVANCED tab, you can add custom properties.

  4. Using the IMPORT PROPERTIES button, you can browse and import application properties.

  5. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

Go to  Data Source to add a resources using this connection as Discovery targets.