AWS S3 Plugin for Log Shipper
This document explains how to configure your AWS S3 integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing web transactions into AWS S3 buckets.
A Netskope Tenant (or multiple, for example, production and development/test instances).
A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
AWS S3 credentials with create/read/write buckets permissions. Obtain your AWS S3 Access key ID and Secret Access Key with permission to read/write on specific buckets or permission to create buckets before proceeding.
Note
Verify your bucket permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.
Create a bucket, an IAM user and policy, and obtain the required credentials.
Configure the AWS S3 plugin.
Configure Log Shipper Business Rules.
Configure Log Shipper SIEM mappings.
Validate the plugin.
To create bucket and set required policies, go to your AWS console and log in.
From All Services, select S3.
Click Create Bucket.
Enter a Bucket Name, scroll to the bottom, and click Create Bucket.
Search for your bucket and click on the bucket name to open it.
Click on Permission to open the permission tab and to set a policy.
Click Edit. Under Block public access (bucket settings), uncheck all checkboxes and click Save Changes. When prompted for a confirmation, confirm it, and then click Confirm.
Under the Permissions tab, click Edit in the Bucket Policy section.
Click Policy Generator.
Select S3 Bucket Policy as policy type for Step 1, and Add Statement details for Step 2, and then click Generate Policy.
Select Type of Policy: S3 Bucket Policy
Effect: Allow
Principal:
<user-arn>Actions:
GetBucketAclGetBucketPolicy
ARN:
arn:aws:s3:::<bucket-name>Click Add Statement.
Click Generate Policy.
Click Policy Generator.
Select S3 Bucket Policy as policy type for Step 1, and Add Statement details for Step 2, and then click Generate Policy.
Select Type of Policy: S3 Bucket Policy
Effect: Allow
Principal:
<user-arn>Actions:
PutObjectPutObjectAcl
ARN:
arn:aws:s3:::<bucket-name>/*Be sure to add/*after the second bucket name.Click Add Statement
Click Generate Policy.
Add this policy to this textbox.
{ "Id": "<policy ID>", "Version": "<version>", "Statement": [ { "Sid": "<statement ID>", "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Effect": "Allow", "Resource": "arn:aws:s3:::<bucket-name>", "Principal": { "AWS": [ "<user-arn>" ] } }, { "Sid": "<statement ID>", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::<bucket-name>/*", "Principal": { "AWS": [ "<user-arn>" ] } } ] }Scroll to the bottom and click Save Changes.
Go to Policy Generator , select IAM Policy as the policy type, and then click Generate Policy.
Go to Policy Generator and Select IAM Policy as policy type and generate policy.
Select Type of Policy: IAM Policy
Effect: Allow
AWS Service: Amazon S3
Actions:
ListAllMyBuckets
ARN: *
Click Add Statement.
Select Type of Policy: IAM Policy
Effect: Allow
AWS Service: Amazon S3
Actions:
GetBucketAcl
GetBucketPolicy
GetBucketLocation
ARN: arn:aws:s3:::<bucket-name>
Click on “Add Statement”
Create the policy required IAM, as shown below. Be sure to add
/*after the second bucket name.{ "Policy": { "Version": "<version>", "Statement": [ { "Sid": "<statement ID>", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "<statement ID>", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::<bucket-name>" }, { "Sid": "<statement ID>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::<bucket-name>/*" } ] } }Go to AWS Console and select IAM from All Services. Click Policies in the left panel, and then click Create Policy.
Copy that policy to the JSON tab. Click Next:Tags, and then click Next:Review.
Enter a name and click Save Changes.
To create an IAM User, and get the Access ID and Secret Access Key, go to the AWS Console and select IAM from All Services.
Click Users in the left panel.
Click Add Users.
Enter a User name, check the Access key - programmatic Access checkbox, and then click Next:Permissions.
Click Attach existing policies directly, and then click on Create Policy.
Search for your policy name that you created and then click Next:Tags > Next:Reviews > Create User.
Copy the Access Key ID and Secret Access Key.
The account that owns the access keys should have the below policy.
aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json
policy.json:
{
"Policy": {
"Version": "<version>",
"Statement": [
{
"Sid": "<statement ID>",
"Effect": "Allow",
"Principal": {
"AWS": "<user-arn>"
},
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::<bucket-name>"
},
{
"Sid": "<statement ID>",
"Effect": "Allow",
"Principal": {
"AWS": "<user-arn>"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::<bucket-name>/*"
}
]
}
}
aws iam put-user-policy --user-name <username> --policy-name <policy_name> --policy-document file://iam_policy.json iam_policy.json: { "Policy": { "Version": "<version>", "Statement": [ { "Sid": "<statement ID>", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "<statement ID>", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetBucketPolicy" ], "Resource": "arn:aws:s3:::<bucket-name>" }, { "Sid": "<statement ID>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::<bucket-name>/*" } ] } }
In Cloud Exchange, go to Settings > Plugins.
Search for and select the AWS S3 box to open the plugin creation pages.
Enter a Configuration Name.
Click Next.
Enter your AWS Access Key ID, AWS Secret Access Key, and select a Region Name. Enter a Bucket Name, Object Prefix, Maximum File Size, and Maximum Duration.
Object Prefix: Will be added to the Object key name while ingesting web transactions to the AWS S3 bucket.)
Maximum File Size and Maximum Duration: Whichever hits first, data will be exported according to that.)
Click Save.
Go to Log Shipper > Business Rules.
Click Create New Rule.
Enter a Rule Name and select the filters to use.
Click Save.
Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
Select a Source Configuration, Business Rule, and Destination Configuration.
Click Save.
To validate the plugin workflow, you can check from Netskope Cloud Exchange and from AWS CLI.
To validate from Netskope Cloud Exchange,
Go to Logging.
To validate from the AWS CLI.
Install AWS CLI in your machine.
(Reference: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
Configure AWS CLI in your machine.
(Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
Use these commands to view buckets and objects.
To list all the buckets.
aws s3 ls
To list all the objects in a bucket.
aws s3 ls s3://<bucket_name>To download an object from a bucket to a local machine.
aws s3 cp s3://<bucket_name>/<object_path> <local_path>