Bucket policies are AWS objects that you use to manage access to specific resources by defining the resource’s permissions. Permissions in the policies determine whether a principal (a user or a role) making a request is allowed or denied to perform the action in the request.
You must create an S3 bucket with a policy that grants the necessary permissions to the principal role used by the Data Forwarder. This policy is a resource-based policy.
Procedure
- In the AWS S3 bucket success message, select Go to bucket details, or click the name of the bucket from the list.
- Create a new folder that serves as the base folder where the Data Forwarder pushes the data type specified when you configure the Data Forwarder in the Carbon Black Cloud console.
Important: Each Data Forwarder requires its own folder. Otherwise, data from multiple forwarders can mix in the same folder and prevent from parsing the data.
- Write down the precise folder name.
You use this folder name to replace the
prefix-folder-name
in the bucket policy in the next step and when you add a Data Forwarder in the
Carbon Black Cloud console.
- From the Permissions tab, select Bucket Policy and configure it by copying the example below into the Bucket Policy Editor and adjusting the "bold" text:
Specifically, replace the values for:
- Id: The “Id” value can be anything, such as “Policy04212020” (where 04212020 represents the date, in this case, April 21, 2020).
- Sid: The “Sid” value can be anything, such as “Stmt04212020”.
- Principal>AWS: The AWS principal value that corresponds to your Carbon Black Cloud product region.
AWS Region |
Principal ID |
US East (N. Virginia) us-east-1 |
arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder |
Europe (Frankfurt) eu-central-1 |
arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-eu-central-1-event-forwarder |
Europe (London) eu-west-2 |
arn:aws:iam::132308400445:role/mcs2-psc-data-forwarder-s3 |
Asia Pacific (Tokyo) ap-northwest-1 |
arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-ap-northeast-1-event-forwarder |
Asia Pacific (Sydney) ap-southeast-2 |
arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-ap-southeast-2-event-forwarder |
London (Europe) eu-west-2 |
arn:aws:iam::132308400445:role/mcs2-psc-data-forwarder-s3 |
- Resource: (AWS S3 Bucket)
The “Resource” value should include the name of your S3 bucket followed by your “prefix-folder-name”, which is the folder you created in the bucket for the specific data type you plan to forward. For example:
"Resource": "arn:aws:s3:::bucket-name/prefix-folder-name/*"
Note: When defining the resource, the final result must end with “
/*” to allow
Carbon Black Cloud to create and access subfolders.
Bucket policy code
{
"Version": "2012-10-17",
"Id": "Policy04212020",
"Statement": [
{
"Sid": "Stmt04212020",
"Effect": "Allow",
"Principal": {
"AWS":
"arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource":
"arn:aws:s3:::bucket-name/prefix-folder-name/*"
}
]
}
- Optional: If you want to encrypt your S3 bucket, see: Encrypt Your S3 Buckets Using AWS KMS.
- Click Save.
Results
The bucket is now able to accept data from the Carbon Black Cloud Data Forwarder.
What to do next
You must add and configure a Data Forwarder in the Carbon Black Cloud.