English

Getting started with Cloud Compliance for Amazon S3

Contributors netapp-tonacki netapp-bcammett Download PDF of this page

Cloud Compliance can scan your Amazon S3 buckets to identify the personal and sensitive data that resides in S3 object storage. Cloud Compliance can scan any bucket in the account, regardless if it was created for a NetApp solution.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

Number 1 Set up the S3 requirements in your cloud environment

Ensure that your cloud environment can meet the requirements for Cloud Compliance, including preparing an IAM role and setting up connectivity from Cloud Compliance to S3. See the complete list.

Number 2 Deploy the Cloud Compliance instance

Deploy Cloud Compliance in Cloud Manager if there isn’t already an instance deployed.

Number 3 Activate Compliance on your S3 working environment

Select the Amazon S3 working environment, click Enable Compliance, and select an IAM role that includes the required permissions.

Number 4 Select the buckets to scan

Select the buckets that you’d like to scan and Cloud Compliance will start scanning them.

Reviewing S3 prerequisites

The following requirements are specific to scanning S3 buckets.

Set up an IAM role for the Cloud Compliance instance

Cloud Compliance needs permissions to connect to the S3 buckets in your account and to scan them. Set up an IAM role that includes the permissions listed below. Cloud Manager prompts you to select an IAM role when you enable Cloud Compliance on the Amazon S3 working environment.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:Get*",
              "s3:List*",
              "s3:HeadBucket"
          ],
          "Resource": "*"
      },
      {
          "Effect": "Allow",
          "Action": [
              "iam:GetPolicyVersion",
              "iam:GetPolicy",
              "iam:ListAttachedRolePolicies"
          ],
          "Resource": [
              "arn:aws:iam::*:policy/*",
              "arn:aws:iam::*:role/*"
          ]
      }
  ]
}
Provide connectivity from Cloud Compliance to Amazon S3

Cloud Compliance needs a connection to Amazon S3. The best way to provide that connection is through a VPC Endpoint to the S3 service. For instructions, see AWS Documentation: Creating a Gateway Endpoint.

When you create the VPC Endpoint, be sure to select the region, VPC, and route table that corresponds to the Cloud Compliance instance. You must also modify the security group to add an outbound HTTPS rule that enables traffic to the S3 endpoint. Otherwise, Cloud Compliance can’t connect to the S3 service.

An alternative is to provide the connection by using a NAT Gateway.

You can’t use a proxy to get to S3 over the internet.

Deploying the Cloud Compliance instance

Deploy Cloud Compliance in Cloud Manager if there isn’t already an instance deployed.

You need to deploy the instance in an AWS Connector so that Cloud Manager automatically discovers the S3 buckets in this AWS account and displays them in an Amazon S3 working environment.

Activating Compliance on your S3 working environment

Enable Cloud Compliance on Amazon S3 after you verify the prerequisites.

Steps
  1. At the top of Cloud Manager, click Working Environments.

  2. Select the Amazon S3 working environment.

    A screenshot of an Amazon S3 working environment icon

  3. In the pane on the right, click Enable Compliance.

    A screenshot of enabling the Cloud Compliance service from the Services panel

  4. When prompted, assign an IAM role to the Cloud Compliance instance that has the required permissions.

    A screenshot of entering the AWS IAM role for Cloud Compliance

  5. Click Enable Compliance.

You can also enable compliance scans for a working environment from the Scan Configuration page by clicking the screenshot gallery options button and selecting Activate Compliance.
Result

Cloud Manager assigns the IAM role to the instance.

Enabling and disabling compliance scans on S3 buckets

After Cloud Manager enables Cloud Compliance on Amazon S3, the next step is to configure the buckets that you want to scan.

When Cloud Manager is running in the AWS account that has the S3 buckets you want to scan, it discovers those buckets and displays them in an Amazon S3 working environment.

Steps
  1. Select the Amazon S3 working environment.

  2. In the pane on the right, click Configure Buckets.

    A screenshot of clicking Configure Buckets to choose the S3 buckets you want to scan

  3. Enable compliance on the buckets that you want to scan.

    A screenshot of selecting the S3 buckets you want to scan

Result

Cloud Compliance starts scanning the S3 buckets that you enabled. If there are any errors, they’ll appear in the Status column, alongside the required action to fix the error.

Scanning buckets from additional AWS accounts

You can scan S3 buckets that are under a different AWS account by assigning a role from that account to access the existing Cloud Compliance instance.

Steps
  1. Go to the target AWS account where you want to scan S3 buckets and create an IAM role by selecting Another AWS account.

    screenshot iam create role

    Be sure to do the following:

    • Enter the ID of the account where the Cloud Compliance instance resides.

    • Change the Maximum CLI/API session duration from 1 hour to 12 hours and save that change.

    • Attach the Cloud Compliance IAM policy. Make sure it has the required permissions.

      {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:Get*",
                    "s3:List*",
                    "s3:HeadBucket"
                ],
                "Resource": "*"
            },
        ]
      }
  2. Go to the source AWS account where the Cloud Compliance instance resides and select the IAM role that is attached to the instance.

    1. Change the Maximum CLI/API session duration from 1 hour to 12 hours and save that change.

    2. Click Attach policies and then click Create policy.

    3. Create a policy that includes the "sts:AssumeRole" action and the ARN of the role that you created in the target account.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::<ADDITIONAL-ACCOUNT-ID>:role/<ADDITIONAL_ROLE_NAME>"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:GetPolicyVersion",
                      "iam:GetPolicy",
                      "iam:ListAttachedRolePolicies"
                  ],
                  "Resource": [
                      "arn:aws:iam::*:policy/*",
                      "arn:aws:iam::*:role/*"
                  ]
              }
          ]
      }

      The Cloud Compliance instance profile account now has access to the additional AWS account.

  3. Go to the Amazon S3 Scan Configuration page and the new AWS account is displayed. Note that it can take a few minutes for Cloud Compliance to sync the new account’s working environment and show this information.

    screenshot activate and select buckets

  4. Click Activate Compliance & Select Buckets and select the buckets you want to scan.

Result

Cloud Compliance starts scanning the new S3 buckets that you enabled.