Configure AWS SQS queue for real-time scanning¶

To enable real-time scanning for Amazon S3 buckets, follow these steps:

1. Configure SQS to Allow S3 to Send Events¶

1.1 Navigate to the SQS Queue¶

Open the AWS Management Console and navigate to Amazon SQS.
Select the SQS queue to which the access policy should be applied.
- If the SQS queue was automatically created by PM, its name will be prefixed with:
Text Only
1
privacera_bucket_sqs_{{DEPLOYMENT_ENV_NAME}}
If DEPLOYMENT_ENV_NAME is privacera-prod, the SQS queue name will be privacera_bucket_sqs_privacera-prod.

1.2 Apply the Access Policy¶

Ensure that the SQS queue has the appropriate permissions to receive events from the S3 bucket.

Steps to Update the Queue Policy¶

Click on the SQS Queue and navigate to the Configure Queue Policy tab.
Add the following policy to the queue, replacing the placeholders with the appropriate values:

SQS Access Policy

Replace the following placeholders

AWS_REGION: The AWS region where the resources are created.

ACCOUNT_ID: The AWS account ID where the resources are created.

DEPLOYMENT_ENV_NAME: The Privacera deployment environment name.

DISCOVERY_SCAN_BUCKET_NAME: The S3 bucket name where the data to be scanned is stored.

SQS_QUEUE_NAME: The SQS queue name where the events are sent. (e.g. privacera_bucket_sqs_privacera-prod)

SQS Access Policy
{
    "Version": "2012-10-17",
    "Id": "arn:aws:sqs:<AWS_REGION>:<ACCOUNT_ID>:<SQS_QUEUE_NAME>/SQSDefaultPolicy",
    "Statement": [
        {
           "Sid": "AllowS3Notify1",
           "Effect": "Allow",
           "Principal": {
               "AWS": "*"
           },
           "Action": "SQS:SendMessage",
           "Resource": "arn:aws:sqs:<AWS_REGION>:<ACCOUNT_ID>:<SQS_QUEUE_NAME>",
           "Condition": {
               "ArnLike": {
                   "aws:SourceArn": "arn:aws:s3:*:*:<DISCOVERY_SCAN_BUCKET_NAME>"
               }
           } 
        }
    ]
}

1.3 Save and Apply Changes¶

Click Save to apply the updated access policy to the SQS queue.

This configuration enables the S3 bucket to send event notifications to the SQS queue, facilitating real-time scanning.

2. Configure Event Notification from S3 Bucket to SQS Queue¶

Follow these steps to configure event notifications from an S3 bucket to an SQS queue for real-time scanning.

2.1 Access S3 in AWS Console¶

Log in to the AWS Management Console.
Navigate to the S3 service.
Locate and select the S3 bucket that requires real-time scanning.

2.2 Create an Event Notification¶

In the Properties tab, navigate to the Event Notifications section.
Click Create event notification.

2.3 Configure Event Notification Settings¶

Event Name: Enter a descriptive name for the event.
Event Types: Select the following event types:
All object create events
All object delete events
All object tagging events (Optional - If you want to fetch S3 tags)

2.4 Set Destination to SQS¶

Destination Type: Select SQS Queue.
Choose SQS Queue: From the dropdown list, select the SQS queue (e.g. privacera_bucket_sqs_privacera-prod).

2.5 Save the Configuration¶

Click Save Changes to apply the event notification settings.

This configuration ensures that all relevant S3 events are sent to the SQS queue, enabling real-time scanning.

Prev Realtime Scan