Release notes
Getting started with BlueXP classification for Amazon S3
Suggest changes
PDFs
BlueXP classification can scan your Amazon S3 buckets to identify the personal and sensitive data that resides in S3 object storage. BlueXP classification can scan any bucket in the account, regardless if it was created for a NetApp solution.
Quick start
Get started quickly by following these steps, or scroll down to the remaining sections for full details.
Set up the S3 requirements in your cloud environmentEnsure that your cloud environment can meet the requirements for BlueXP classification, including preparing an IAM role and setting up connectivity from BlueXP classification to S3. See the complete list.
Deploy the BlueXP classification instanceDeploy BlueXP classification if there isn't already an instance deployed.
Activate BlueXP classification on your S3 working environmentSelect the Amazon S3 working environment, click Enable, and select an IAM role that includes the required permissions.
Select the buckets to scanSelect the buckets that you'd like to scan and BlueXP classification will start scanning them.
Reviewing S3 prerequisites
The following requirements are specific to scanning S3 buckets.
- Set up an IAM role for the BlueXP classification instance
-
BlueXP classification needs permissions to connect to the S3 buckets in your account and to scan them. Set up an IAM role that includes the permissions listed below. BlueXP prompts you to select an IAM role when you enable BlueXP classification on the Amazon S3 working environment.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:policy/*", "arn:aws:iam::*:role/*" ] } ] } - Provide connectivity from BlueXP classification to Amazon S3
-
BlueXP classification needs a connection to Amazon S3. The best way to provide that connection is through a VPC Endpoint to the S3 service. For instructions, see AWS Documentation: Creating a Gateway Endpoint.
When you create the VPC Endpoint, be sure to select the region, VPC, and route table that corresponds to the BlueXP classification instance. You must also modify the security group to add an outbound HTTPS rule that enables traffic to the S3 endpoint. Otherwise, BlueXP classification can't connect to the S3 service.
If you experience any issues, see AWS Support Knowledge Center: Why can't I connect to an S3 bucket using a gateway VPC endpoint?
An alternative is to provide the connection by using a NAT Gateway.
You can't use a proxy to get to S3 over the internet.
Deploying the BlueXP classification instance
Deploy BlueXP classification in BlueXP if there isn't already an instance deployed.
You need to deploy the instance using a Connector deployed in AWS so that BlueXP automatically discovers the S3 buckets in this AWS account and displays them in an Amazon S3 working environment.
Note: Deploying BlueXP classification in an on-premises location is not currently supported when scanning S3 buckets.
Upgrades to BlueXP classification software is automated as long as the instance has internet connectivity.
Activating BlueXP classification on your S3 working environment
Enable BlueXP classification on Amazon S3 after you verify the prerequisites.
-
From the BlueXP left navigation menu, click Storage > Canvas.
-
Select the Amazon S3 working environment.
-
In the Services pane on the right, click Enable next to Classification.
-
When prompted, assign an IAM role to the BlueXP classification instance that has the required permissions.
-
Click Enable.
|
You can also enable compliance scans for a working environment from the Configuration page by clicking the  button and selecting Activate BlueXP classification.
|
BlueXP assigns the IAM role to the instance.
Enabling and disabling compliance scans on S3 buckets
After BlueXP enables BlueXP classification on Amazon S3, the next step is to configure the buckets that you want to scan.
When BlueXP is running in the AWS account that has the S3 buckets you want to scan, it discovers those buckets and displays them in an Amazon S3 working environment.
BlueXP classification can also scan S3 buckets that are in different AWS accounts.
-
Select the Amazon S3 working environment.
-
In the Services pane on the right, click Configure Buckets.
-
Enable mapping-only scans, or mapping and classification scans, on your buckets.
To: Do this: Enable mapping-only scans on a bucket
Click Map
Enable full scans on a bucket
Click Map & Classify
Disable scanning on a bucket
Click Off
BlueXP classification starts scanning the S3 buckets that you enabled. If there are any errors, they'll appear in the Status column, alongside the required action to fix the error.
Scanning buckets from additional AWS accounts
You can scan S3 buckets that are under a different AWS account by assigning a role from that account to access the existing BlueXP classification instance.
-
Go to the target AWS account where you want to scan S3 buckets and create an IAM role by selecting Another AWS account.
Be sure to do the following:
-
Enter the ID of the account where the BlueXP classification instance resides.
-
Change the Maximum CLI/API session duration from 1 hour to 12 hours and save that change.
-
Attach the BlueXP classification IAM policy. Make sure it has the required permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:PutObject" ], "Resource": "*" }, ] }
-
-
Go to the source AWS account where the BlueXP classification instance resides and select the IAM role that is attached to the instance.
-
Change the Maximum CLI/API session duration from 1 hour to 12 hours and save that change.
-
Click Attach policies and then click Create policy.
-
Create a policy that includes the "sts:AssumeRole" action and specify the ARN of the role that you created in the target account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ADDITIONAL-ACCOUNT-ID>:role/<ADDITIONAL_ROLE_NAME>" }, { "Effect": "Allow", "Action": [ "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:policy/*", "arn:aws:iam::*:role/*" ] } ] }The BlueXP classification instance profile account now has access to the additional AWS account.
-
-
Go to the Amazon S3 Configuration page and the new AWS account is displayed. Note that it can take a few minutes for BlueXP classification to sync the new account's working environment and show this information.
-
Click Activate BlueXP classification & Select Buckets and select the buckets you want to scan.
BlueXP classification starts scanning the new S3 buckets that you enabled.