Skip to main content

Privacera Documentation

Connect S3 to PrivaceraCloud

This topic describes how to connect S3 application to PrivaceraCloud.

Connecting to an AWS hosted data source requires authentication or a Trust relation with those resources. You will provide this information as one step in the AWS Data resource connection. You will also need to specify your AWS Account Region.

Prerequisites
  1. Create or use an existing IAM role in your environment. The role should be given access permissions by attaching an access policy in the AWS Console.

  2. Configure a Trust relationship with PrivaceraCloud See AWS Access with IAM role on PrivaceraCloud for specific instructions and requirements for configuring this IAM Role.

Procedure
  1. Go to Settings > Applications.

  2. On the Applications screen, select S3 application..

  3. Enter the application Name and Description, and then click Save.

    You can see Privacera Access Management and Data Discovery with the toggle buttons.

    Note

    If you don't see Data Discovery in your application, enable it in Settings > Account > Discovery. For more information, see About the Account page on PrivaceraCloud.

Enable Privacera Access Management for S3

  1. Click the toggle button to enable Privacera Access Management for your application.

  2. On the BASIC tab, enter values in the following fields:

    • In the Profile Name text box, enter the profile name. The profile name must be unique across all applications.

      When you migrate an existing S3 application from 7.1 to 7.2 PrivaceraCloud versions (non-multi-account to multi-account), the PrivaceraCloud Portal sets the Profile Name to "Default" and imports the existing configuration.

      Note

      Additional information:

    • With Use IAM Role disabled:

      1. AWS Access Key: AWS data repository host account Access Key.

      2. AWS Secret Key: AWS data repository host account Secret Key

      3. AWS Region: AWS S3 bucket region.

    • With Use IAM Role enabled:

      1. AWS IAM Role: Enter the actual IAM Role using a full AWS ARN.

      2. AWS IAM Role External Id: For additional security, an external ID can be attached to your IAM role configured. This assures that your IAM role can be assumed by PrivaceraCloud only when the configured external ID is passed.

        Note

        The external ID is stored encrypted. It is never reflected back to the UI or is made visible.

      3. AWS Region: AWS S3 bucket region.

  3. On the ADVANCED tab, add the following property if you use another profile name instead of default.

    Note

    When you create an S3 application for the first time in PrivaceraCloud versions 7.2 and above, create at least one profile with the name default.

    If you use a personalized profile name instead of default, add the dataserver.aws.profile.name.default property to use your personalized profile name with another name as the default.

  4. Replace my_profile with your personalized name.

    dataserver.aws.profile.name.default=my_profile
  5. Using the IMPORT PROPERTIES button, you can browse and import application properties.

  6. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

    Note

    You can only use one S3 setup per account for Privacera Access Management

  7. Recommended: Install the AWS CLI.

    Open Launch Pad and follow the steps to install and configure AWS CLI to your workstation so that it uses the PrivaceraCloud S3 Data Server proxy.

  8. Recommended: Validate connectivity by running AWS CLI for S3 such as:

    aws s3 ls

Note

Dataserver also supports logging the requested user's name in AWS CloudWatch Logs. For more information, see Add UserInfo in S3 Requests sent via Data Access Server on PrivaceraCloud.

Enable Data Discovery for S3

  1. Click the toggle button to enable Data Discovery for your application.

  2. On the BASIC tab, enter values in the following fields.

    • With Use IAM Role disabled:

      1. AWS Access Key: AWS data repository host account Access Key.

      2. AWS Secret Key: AWS data repository host account Secret Key

      3. AWS Region: AWS S3 bucket region.

    • With Use IAM Role enabled:

      1. AWS IAM Role: Enter the actual IAM Role using a full AWS ARN.

      2. AWS Region: AWS S3 bucket region.

  3. Enable Folder name tagging toggle button to include folder names during scanning and tag the folders based on dictionary values.

  4. On the ADVANCED tab, you can add custom properties.

  5. Using the IMPORT PROPERTIES button, you can browse and import application properties.

  6. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

Go to PrivaceraCloud > Privacera Discovery > Data Source to add a resources using this connection as Discovery targets. See Privacera Discovery scan targets for quick start steps.

S3 AWS Commands - Ranger Permission Mapping