Skip to content

Configure Audit Backup Settings on PrivaceraCloud

The access audit records in the Audits page are retained for 30 days in the storage of PrivaceraCloud account. If you want to keep the access audit records for longer, you can copy the audit records from PrivaceraCloud storage to your AWS bucket and Azure. The copied audit records in your AWS and Azure accounts are in ZIP or TAR format.

Contact Privacera Support to enable this feature. When this feature is enabled, you can see the Audit Backup Settings section in the Account page.

When you configure the AWS bucket and region, an ARN Role will be generated automatically by PrivaceraCloud. After configuring this setting, you can see the ARN role in your PrivaceraCloud account. This will be used in the policy of your AWS S3 bucket.

  1. In the Audit Backup Settings section of the Account page:

    a. Click the Enable button of the Access and Admin Audits Backup. The Privacera Access Backup Configuration dialog appears.

    b. Select AWS.

    c. Enter a Bucket or Bucket With Folder Path and Bucket Region.

    Note

    You cannot modify the parameters after saving the bucket name and region.

    d. Click Save Settings.

    • An ARN Role will be generated by PrivaceraCloud.

    e. Click the eye icon to get the ARN Role.

    • The Privacera Access Backup Configuration dialog appears.

    f. Under the User Role section, copy the ARN Role.

    • Subsequently, you can change the values and update the settings.

  2. In the AWS console, add the following bucket policy to your AWS S3 bucket:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
  "Id": "Policy1645104586202",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1645104584705",
      "Action": "s3:PutObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::<bucket_name_or_folder_path>",
        "arn:aws:s3:::<bucket_name_or_folder_path>/*"
      ],
      "Principal": {
        "AWS": ["<ARN_ROLE>"]
      }
    }
  ]
}

In the policy above, edit the following information:

  • <bucket_name_or_folder_path>: Add the bucket name or folder path where the audit records will get copied.

  • <ARN_ROLE>: Add the ARN Role copied from PrivaceraCloud portal.

For example, arn:aws:iam::9xxxx56xxxx0:role/PRIVACERA_AUDIT_1xxxxx933xxxx2_ROLE.

Prerequisites

Before you configure audit backups, obtain a Shared Access Signature (SAS) token from the Azure portal. The SAS token must correspond to the Azure storage account specified in the Storage Name field. Ensure that you generate the SAS token for the correct storage account. For more information about how to create SAS token, see Create SAS tokens in the Azure portal.

Steps

  1. In the Audit Backup Settings section of the Account page:

    a. Click the Enable button of the Access and Admin Audits Backup. The Privacera Access Backup Configuration dialog appears.

    b. Select AZURE, and enter the values in the following fields:

    • Storage Name
    • Container Or Container Name With Folder Path
    • Shared Access Signature (SAS) Token

    c. Click Save Settings.

    • Subsequently, you can change the values and update the settings.