Connect AWS to Microsoft Cloud App Security

Applies to: Microsoft Cloud App Security

This article provides instructions for connecting your existing Amazon Web Services (AWS) account to Microsoft Cloud App Security using the connector APIs.

You can connect one or both of the following AWS to Cloud App Security connections:

  • Security auditing: This connection gives you visibility into and control over AWS app use.
  • Security configuration: This connection gives you fundamental security recommendations based on the Center for Internet Security (CIS) benchmark for AWS.

Since you can add either or both of the connections, the steps in this article are written as independent instructions. If you have already added one of the connections, where relevant edit the existing configurations.

How to connect AWS Security auditing to Cloud App Security

  1. In your Amazon Web Services console, under Security, Identity & Compliance, click IAM.

    AWS identity and access

  2. Select Users and then click Add user.

    AWS users

  3. In the Details step, provide a new user name for Cloud App Security. Make sure that under Access type you select Programmatic access and click Next Permissions.

    Create user in AWS

  4. Click on the JSON tab:

    AWS JSON tab

  5. Paste the following script into the provided area:

    {
      "Version" : "2012-10-17",
      "Statement" : [{
          "Action" : [
            "cloudtrail:DescribeTrails",
            "cloudtrail:LookupEvents",
            "cloudtrail:GetTrailStatus",
            "cloudwatch:Describe*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "iam:List*",
            "iam:Get*",
            "s3:ListAllMyBuckets",
            "s3:PutBucketAcl",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
          ],
          "Effect" : "Allow",
          "Resource" : "*"
        }
      ]
     }
    

    AWS code

  6. Click Review policy.

  7. Provide a Name and click Create policy.

    Provide AWS policy name

  8. Back in the Add user screen, refresh the list if necessary, and select the user you created, and click Next Review.

    Attach existing policy in AWS

  9. If all the details are correct, click Create user.

    User permissions in AWS

  10. When you get the success message, click Download .csv to save a copy of the new user's credentials, you need these later.

    Download csv in AWS

  11. In the AWS console, click Services and then under Management Tools click CloudTrail.

    AWS CloudTrail

    If you haven't used CloudTrail before, click Get Started and set it up by providing a name and selecting the appropriate S3 bucket and click Turn On. To make sure you have complete coverage, set Apply to all regions to Yes.

    Turn on CloudTrail in AWS

    You should see the new CloudTrail name in the Trails list.

    CloudTrail list in AWS

    Note

    After connecting AWS, you'll receive events for seven days prior to connection. If you just enabled CloudTrail, you'll receive events from the time you enabled CloudTrail.

  12. In the Cloud App Security portal, click Investigate and then Connected apps.

  13. In the App connectors page, to provide the AWS connector credentials, do one of the following:

    For a new connector

    1. Click the plus sign followed by Amazon Web Services.

      connect AWS

    2. In the pop-up, provide a name for the connector, and then click Connect Amazon Web Services.

      AWS connector name

    3. On the Connect Amazon Web services page, select Security auditing, paste the Access key and Secret key from the .csv file into the relevant fields, and click Connect.

      Connect AWS app security auditing

    For an existing connector

    1. In the list of connectors, on the row in which the AWS connector appears, click Connect security auditing.

      Screenshot of the Connected Apps page, showing edit Security Auditing link

    2. On the Connect Amazon Web Services page, paste the Access key and Secret key from the .csv file into the relevant fields, and click Connect.

      Connect AWS app security auditing

  14. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. When it's finished, you get a Success or Failure notification. After receiving a success notice, click Done.

How to connect AWS Security configuration to Cloud App Security

Follow the How to connect AWS Security auditing steps to get to the permissions page.

  1. On the permissions page, click Attach existing policies directly, apply the AWSSecurityHubReadOnlyAccess and SecurityAudit policies, and then click Next Tags.

    Attach existing policy in AWS

  2. Optional: Add tags to the user.

    Add tags to user in AWS

    Note

    Adding tags to the user won't affect the connection.

  3. Click Next Review.

  4. If all the details are correct, click Create user.

    User permissions in AWS

  5. When you get the success message, click Download .csv to save a copy of the Access key ID and the Secret access key, you need these later.

    Download csv in AWS

  6. In the Cloud App Security portal, click Investigate and then Connected apps.

  7. In the App connectors page, to provide the AWS connector credentials, do one of the following:

    For a new connector

    1. Click the plus sign followed by Amazon Web Services.

      connect AWS

    2. In the pop-up, provide a name for the connector, and then click Connect Amazon Web Services.

      AWS connector name

    3. On the Connect Amazon Web services page, select Security configuration, paste the Access key and Secret key from the .csv file into the relevant fields, and click Connect.

      Connect AWS app security configuration

    For an existing connector

    1. In the list of connectors, on the row in which the AWS connector appears, click Connect security configuration.

      Screenshot of the Connected Apps page, showing edit Security Configuration link

    2. On the Connect Amazon Web Services page, paste the Access key and Secret key from the .csv file into the relevant fields, and click Connect.

      Connect AWS app security configuration

  8. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. When it's finished, you get a Success or Failure notification. After receiving a success notice, click Done.

Next steps

Control cloud apps with policies

Premier customers can also create a new support request directly in the Premier Portal.