Skip to main content

Netskope Help

AWS S3 Events, Alerts Plugin for Log Shipper

This plugin is used to deliver web transactions data to the AWS S3 platform. To access the plugin, you would need the credentials of the AWS S3 instance. The AWS S3 Events, Alerts plugin support is:

Event Support

Yes

Alert Support

Yes

WebTx Support

No

Prerequisites
  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • AWS S3 credentials with create/read/write buckets permissions. Obtain your AWS S3 Access key ID and Secret Access Key with permission to read/write on specific buckets or permission to create buckets before proceeding.

Note

Verify your bucket permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Workflow
  1. Create a bucket, an IAM policy and user, and get your credentials.

  2. Configure the AWS S3 Events, Alerts plugin.

  3. Configure Log Shipper Business Rules for AWS S3 Events, Alerts.

  4. Configure Log Shipper SIEM mappings for AWS S3 Events, Alerts.

  5. Validate the plugin.

Click play to watch a video.

 
  1. To create bucket and set required policies, go to your AWS console and log in.

    image1.png
  2. From All Services, select S3.

    image2.png
  3. Click Create Bucket.

    image3.png
  4. Enter a Bucket Name, scroll to the bottom, and click Create Bucket.

    image4.png
  5. Search for your bucket and click on the bucket name to open it.

    image5.png
  6. Click on Permission to open the permission tab and to set a policy.

    image6.png
  7. Click Edit. Under Block public access (bucket settings), uncheck all checkboxes and click Save Changes. When prompted for a confirmation, confirm it, and then click Confirm.

    image7.png
  8. Under the Permissions tab, click Edit in the Bucket Policy section.

    image8.png
  9. Click Policy Generator.

    image9.png
  10. Select S3 Bucket Policy as policy type for Step 1, and Add Statement details for Step 2, and then click Generate Policy.

    • Select Type of Policy: S3 Bucket Policy

    • Effect: Allow

    • Principal: <user-arn>

    • Actions:

      1. GetBucketAcl

      2. GetBucketPolicy

    • ARN: arn:aws:s3:::<bucket-name>

    • Click Add Statement.

    image10.png
    • Select Type of Policy: S3 Bucket Policy

    • Effect: Allow

    • Principal: <user-arn>

    • Actions:

      1. PutObject

      2. PutObjectAcl

    • ARN: arn:aws:s3:::<bucket-name>/*. Be sure to add /* after the second bucket name.

    • Click Add Statement

      image11.png
      image12.png
    • Click Generate Policy.

      image13.png
  11. Add this policy to this textbox.

    {
        "Id": "<policy ID>",
        "Version": "<version>",
        "Statement": [
            {
                "Sid": "<statement ID>",
                "Action": [
                    "s3:GetBucketAcl",
                    "s3:GetBucketPolicy"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::<bucket-name>",
                "Principal": {
                    "AWS": [
                        "<user-arn>"
                    ]
                }
            },
            {
                "Sid": "<statement ID>",
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::<bucket-name>/*",
                "Principal": {
                    "AWS": [
                        "<user-arn>"
                    ]
                }
            }
        ]
    }
  12. Scroll to the bottom and click Save Changes.

    image14.png
  1. Go to Policy Generator , select IAM Policy as the policy type, and then click Generate Policy.

    • Select Type of Policy: IAM Policy

    • Effect: Allow

    • AWS Service: Amazon S3

    • Actions:

      1. ListAllMyBuckets

    • ARN: *

    • Click Add Statement.

    image15.png
    • Select Type of Policy: IAM Policy

    • Effect: Allow

    • AWS Service: Amazon S3

    • Actions:

      1. GetBucketAcl

      2. GetBucketPolicy

      3. GetBucketLocation

    • ARN: arn:aws:s3:::<bucket-name>

    • Click Add Statement.

    image16.png
    • Select Type of Policy: IAM Policy

    • Effect: Allow

    • AWS Service: Amazon S3

    • Actions:

      1. PutObject

      2. PutObjectAcl

    • ARN: arn:aws:s3:::<bucket-name>/*

    • Click Add Statement.

    image17.png
    • Click Generate Policy.

    image18.png
  2. Create the policy required IAM, as shown below. Be sure to add /* after the second bucket name.

    {
    	"Id": "<policy ID>",
    	"Version": "<version>",
    	"Statement": [
    		{
    			"Sid": "<statement ID>",
    			"Effect": "Allow",
    			"Action": "s3:ListAllMyBuckets",
    			"Resource": "*"
    		},
    		{
    			"Sid": "<statement ID>",
    			"Effect": "Allow",
    			"Action": [
    				"s3:GetBucketAcl",
    				"s3:GetBucketPolicy",
                               "S3:GetBucketLocation"
    			],
    			"Resource": "arn:aws:s3:::<bucket-name>"
    		},
    		{
    			"Sid": "<statement ID>",
    			"Effect": "Allow",
    			"Action": [
    				"s3:PutObject",
    				"s3:PutObjectAcl"
    			],
    			"Resource": "arn:aws:s3:::<bucket-name>/*"
    		}
    	]
    }
  3. Go to AWS Console and select IAM from All Services. Click Policies in the left panel, and then click Create Policy.

    image2.png
    image19.png
  4. Copy that policy to the JSON tab. Click Next:Tags, and then click Next:Review.

    image20.png
  5. Enter a name and click Create Policy.

    image21.png
    image22.png
  1. To create an IAM User, and get the Access ID and Secret Access Key, go to the AWS Console and select IAM from All Services.

    image2.png
  2. Click Users in the left panel.

    image23.png
  3. Click Add Users.

    image24.png
  4. Enter a user name and click Next:Permissions.

    image25.png
  5. Click Attach existing policies directly (the policy created earlier) and click Next.

    image26.png
  6. Review your choices and click Create User.

    image27.png
    image28.png
  7. Search for a user and click on it.

    image29.png
  8. Click Security Credentials and scroll down to Access Keys.

    image30.png
  9. Click Create access key, select Other, and then click Next.

    image31.png
  10. Add a description and click Create access key.

    image32.png
  11. Copy the Access Key ID and Secret Access Key.

    image33.png

The account that owns the access keys should have the below policy.

To set a bucket policy from the AWS CLI
aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json

policy.json:

{
    "Policy": {
        "Version": "<version>",
        "Statement": [
            {
                "Sid": "<statement ID>",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<user-arn>"
                },
                "Action": [
                    "s3:GetBucketAcl",
                    "s3:GetBucketPolicy"
                ],
                "Resource": "arn:aws:s3:::<bucket-name>"
            },
            {
                "Sid": "<statement ID>",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "<user-arn>"
                },
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::<bucket-name>/*"
            }
        ]
    }
}

To set an IAM policy from the AWS CLI
aws iam put-user-policy --user-name <username> --policy-name <policy_name> --policy-document file://iam_policy.json
iam_policy.json:

{
    "Policy": {
        "Version": "<version>",
        "Statement": [
            		     {
                "Sid": "<statement ID>",
                "Effect": "Allow",
                "Action": "s3:ListAllMyBuckets",
                "Resource": "*"
            },
            {
                "Sid": "<statement ID>",
                "Effect": "Allow",
                "Action": [
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:GetBucketPolicy"
                ],
                "Resource": "arn:aws:s3:::<bucket-name>"
            },
            {
                "Sid": "<statement ID>",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "Resource": "arn:aws:s3:::<bucket-name>/*"
            }
        ]
    }
}
  1. Click on the Settings button from the Navigation Panel then Plugins.

  2. Search for and select the AWS S3 Events, Alerts box to open the plugin creation dialog.

    image34.png
  3. Enter a Configuration Name.

    Note

    Keep the Transform the raw logs toggle disabled because we will only filter the fields added in the Json block inside the user provided mapping file.

  4. Click Next.

    image35.png
  5. Enter these parameters:

    • AWS Access Key ID: Your AWS S3 access key ID for AWS S3 authentication.

    • AWS Secret Access Key: Your AWS S3 secret access key for AWS S3 authentication.

    • Region Name: The region name to get your AWS S3 Bucket from.

    • Bucket Name: The Bucket Name in which the data object will be stored.

    • Object prefix: This will be added to the Object key name while ingesting web transactions to the AWS S3 bucket.

      image36.png
  6. Click on Save

    image37.png
  1. Go to Log Shipper > Business Rules.

    image38.png
  2. Click Create New Rule.

    image39.png
  3. Enter a Rule Name, configure the filter, and enter a Folder Name (if any).

  4. Click Save.

    image40.png
  1. Go to Log Shipper > SIEM Mappings.

  2. Click Add SIEM Mapping.

  3. For Source, select the Netskope CLS configuration.

  4. For Destination, select the AWS S3 Events, Alerts configuration.

  5. Select the Business Rule you created previously.

    image41.png
  6. Click Save

Validate from Cloud Exchange

From the Logging section, check to see if the Logs are getting ingested.

image42.png

Validate from AWS

Using the AWS UI

  1. Log in to AWS console.

  2. Search for AWS S3 bucket.

  3. Search for configured bucket.

    image43.png

Using the AWS CLI

  1. Install AWS CLI in your machine.

    (Reference: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)

  2. Configure AWS CLI in your machine.

    (Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)

  3. Useful commands to view buckets and objects.

    To list all the buckets:

    aws s3 ls

    To list all the objects in a bucket:

    aws s3 ls s3://<bucket_name>

    To download an object from bucket to local machine.

    aws s3 cp s3://<bucket_name>/<object_path> <local_path>