Enterprise Recon 2.3

Amazon S3 Buckets

This section covers the following topics:

Licensing

For Sitewide Licenses, all scanned Amazon S3 Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Amazon S3 Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • Cloud service-specific access keys.
  • ER 2.0.29 Agent and newer.
Required Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
TCP Allowed Connections Port 443

Encryption

ER2 supports Amazon S3 Buckets that use the following encryption methods:

  1. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
  2. Server-side encryption with AWS KMS-managed keys (SSE-KMS)
  3. Server-side encryption with customer-provided encryption keys (SSE-C)

Adding an Amazon S3 Target

To add Amazon S3 Buckets as Targets:

  1. Get AWS User Security Credentials
  2. Set Up Amazon S3 as a Target

To scan specific objects in the Target Bucket, see Edit Amazon S3 Target Path.

Get AWS User Security Credentials

  1. Log into the AWS IAM console.
  2. On the left of the page, click Users and select an IAM user with full access to the Amazon S3 Buckets that you want to scan.
    Select an IAM user in the AWS IAM console with access to the Amazon S3 Buckets to scan.

  3. On the User page, click on the Security Credentials tab. The tab displays the user’s existing Access Keys. Security Credentials tab in AWS IAM console displaying a user's existing access keys.
  4. Click Create Access Key. A dialog box appears, displaying a new set of User security credentials. This consists of an Access Key ID and a Secret Access Key.
  5. Click Download Credentials to save the User security credentials in a secure location, or write it down in a safe place. You cannot access this set of credentials once the dialog box is closed. Click Download Credentials in the Create Access Key window in AWS IAM console.

Set Up Amazon S3 as a Target

  1. From the New Scan page, Add Targets.
  2. In the Select Target Type dialog box, select Amazon S3.
  3. In the Amazon S3 Details section, fill in the following fields:
    Example of Amazon S3 dialog box with the Amazon Account Label set to "UserA_Amazon_Account" and credential details filled.

    Field Description
    Label

    Enter a descriptive label for the Amazon S3 Target.

    For example, UserA_Amazon_S3.

    New Credential Label Enter a descriptive label for the credential set.
    Access Key ID

    Enter the Access Key ID obtained in Get AWS User Security Credentials.

    For example, AKIAABCDEFGHIEXAMPLE.

    Secret Access Key

    Enter the Secret Access Key obtained in Get AWS User Security Credentials.

    For example, aBcDeFGHiJKLM/A1NOPQR/wxYzdcbAEXAMPLEKEY.

    Private Key

    Upload the file containing the customer-provided 256-bit encryption key.

    Only required for Amazon S3 Buckets that use the server-side encryption with customer-provided encryption keys (SSE-C) method for object encryption.

    For example, my_amazon_key.txt.

    Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
    Recommended Least Privilege User Approach

    To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.
  6. Back in the New Search page, locate the newly added Amazon S3 Target and click on the arrow next to it to display a list of available Buckets for the Amazon S3 user.
  7. Select the Target location(s) to scan.

    1. If "All data on new target AWSS3:<Amazon_Target_Label>" or "Amazon S3 : All buckets on new target AWSS3:<Amazon_Target_Label>" is selected, ER2 scans all objects contained in all Buckets available for the user account.
      New Search page with "Amazon S3: All buckets on new target "AWSS3:USERA_AMAZON_ACCOUNT" selected as a scan location.
    2. If only specific Buckets are selected, ER2 scans only the objects contained in the selected Buckets.
      New Search page with "Amazon S3: All buckets on new target AWSS3:USERA_AMAZON_ACCOUNT" selected as scan locations.

  8. Click Next to continue configuring your new scan.

Edit Amazon S3 Target Path

To scan a specific object in the Amazon S3 Bucket:

  1. Set Up Amazon S3 as a Target.
  2. In the Select Locations section, select your Amazon S3 Bucket Target location and click Edit.
  3. In the Edit Amazon S3 Bucket Location dialog, enter the Path to scan. Use the following syntax:

    Path Syntax
    Whole Bucket <BucketName>
    Specific folder in Bucket <BucketName/folder_name>
    Specific file in Bucket <BucketName[/folder_name]/filename.txt>
  4. Click Test and then Commit to save the path to the Target location.