Skip to main content

Privacera Documentation

Table of Contents

Configure Audit Access Settings on PrivaceraCloud

Note

Contact Privacera Support to request enabling this feature.

Access audits records shown the Audits page are backed up nightly and retained for 5 days in the storage of PrivaceraCloud account. If you want to keep the access audit records for longer, you can copy the audit records from PrivaceraCloud storage to your AWS bucket and Azure. The copied audit records in your AWS and Azure accounts are in .ZIP or .TAR format.

When this feature is enabled, you can see the Audit Access Settings section in the Account page.

Note

Typically, it takes about 24 hours for the generated audits to appear in your account. If you do not observe the audit details even after this period, please reach out to Privacera Support for assistance.

When you configure the AWS bucket and region, an ARN Role will be generated automatically by PrivaceraCloud. After configuring this setting, you can see the ARN role in your PrivaceraCloud account. This will be used in the policy of your AWS S3 bucket.

  1. In the Audit Access Settings section of the Account page:

    1. Click the Enable button of the Audit Access Backup .

      The Privacera Access Audit Configuration dialog appears.

    2. Select AWS.

    3. Enter a bucket name or a folder path and bucket region.

      Note

      You cannot modify the parameters after saving the bucket name and region.

    4. Click Save Settings.

      An ARN Role will be generated by PrivaceraCloud.

    5. Click the SHOW DETAILS button to get the ARN Role.

      The Privacera Access Audit Configuration dialog appears.

    6. Under the User Role section, copy the ARN Role.

    Subsequently, you can change the values and update the settings.

  2. In the AWS console, add the following bucket policy to your AWS S3 bucket:

    {
    "Id": "Policy1645104586202",
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "Stmt1645104584705",
        "Action": "s3:PutObject",
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::<bucket_name_or_folder_path>",
            "arn:aws:s3:::<bucket_name_or_folder_path>/*"
            ],
        "Principal": {
            "AWS": [
            "<ARN_ROLE>"
            ]
        }
        }
    ]
    }

    In the policy above, edit the following information:

    • <bucket_name_or_folder_path>: Add the bucket name or folder path where the audit records will get copied.

    • <ARN_ROLE>: Add the ARN Role copied from PrivaceraCloud portal.

      For example, arn:aws:iam::9xxxx56xxxx0:role/PRIVACERA_AUDIT_1xxxxx933xxxx2_ROLE.

Prerequisites

You need to obtain Shared Access Signature (SAS) token form the Azure portal. For more information about how to create SAS token, see Create SAS tokens in the Azure portal.

Note

Please be aware that Privacera does not actively monitor the expiration of the SAS token. It is the customer's responsibility to ensure the management of the SAS token, including monitoring and renewing it as needed.

Note

When generating the SAS token, it's essential to include the Write permission. Users also have the flexibility to choose additional permissions based on their specific requirements.

Steps
  • In the Audit Access Settings section of the Account page:

    1. Click the Enable button of the Audit Access Backup.

      The Privacera Access Audit Configuration dialog appears.

    2. Select AZURE, and enter the values in the following fields:

      • Storage Name

      • Container Or Container Name With Folder Path

      • Shared Access Signature (SAS) Token

    3. Click Save Settings.

    Subsequently, you can change the values and update the settings.