Connect AWS to Microsoft Cloud App Security

This section provides instructions for connecting Cloud App Security to your existing Amazon Web Services account using the connector APIs.

How to connect Amazon Web Services to Cloud App Security

  1. In your Amazon Web Services console, under Security, Identity & Compliance, click on IAM.

    aws identity and access

  2. Click on the Users tab and then click Add user.

    aws users

  3. In the Details step, provide a new user name for Cloud App Security and make sure that under Access type you select Programmatic access and click Next Permissions.

    AWS create user

  4. In the Permissions step, select Attach existing policies directly and then click Create policy.

    AWS attach user

  5. Under Create Policy select Create Your Own Policy.

    AWS create your own policy

  6. Under Review Policy, provide a Policy Name, for example CloudAppSecurityPolicy.

    AWS review policy

  7. Then paste the following into the Policy Document field and click Create policy:

    {  
      "Version" : "2012-10-17",  
      "Statement" : [{  
          "Action" : [  
            "cloudtrail:DescribeTrails",  
            "cloudtrail:LookupEvents",  
            "cloudtrail:GetTrailStatus",  
            "cloudwatch:Describe*",  
            "cloudwatch:Get*",  
            "cloudwatch:List*",  
            "iam:List*",  
            "iam:Get*"  
          ],  
          "Effect" : "Allow",  
          "Resource" : "*"  
        }  
      ]  
     }  
    
  8. Back in the Add user screen, refresh the list if necessary, and select the user you just created, and click Next Review.

    AWS review user policy

  9. If all the details are correct, click Create user.

    AWS user permissions

  10. When you get the success message, click Download .csv to save a copy of the new user's credentials, you will need these later.

    AWS download csv

  11. In the AWS console, click Services and then under Management Tools click CloudTrail.

    aws cloudtrail

    If you have not used CloudTrail before, click Get Started and set it up by providing a name and selecting the appropriate S3 bucket and click Turn On. To make sure you have complete coverage, set Apply to all regions to Yes.

    AWS turn on CloudTrail

    You should see the new CloudTrail name in the Trails list.

    AWS CloudTrail list

  12. In the Cloud App Security portal, click Investigate and then Connected apps.

  13. In the App connectors page, click the plus sign followed by AWS.

    connect AWS

  14. In the pop-up, paste the Access key and Secret key from the csv file into the relevant fields, and click Connect.
    AWS connect app

  15. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. When it is finished, you will get a Success or Failure notification. After receiving a success notice, click Done.

After connecting AWS, you will receive events for 7 days prior to connection, unless you just enabled CloudTrail, in which case you will receive events from the time you enabled CloudTrail.

See Also

Control cloud apps with policies
For technical support, please visit the Cloud App Security assisted support page.
Premier customers can also choose Cloud App Security directly from the Premier Portal.