Connect AWS to Microsoft Cloud App Security

This section provides instructions for connecting Cloud App Security to your existing Amazon Web Services account using the connector APIs.

How to connect Amazon Web Services to Cloud App Security

  1. In your Amazon Web Services console, under Security, Identity & Compliance, click on IAM.

    AWS identity and access

  2. Click on the Users tab and then click Add user.

    AWS users

  3. In the Details step, provide a new user name for Cloud App Security. Make sure that under Access type you select Programmatic access and click Next Permissions.

    create user in AWS

  4. In the Permissions step, select Attach existing policies directly and then click Create policy.

    Attach user in AWS

  5. Under Create Policy select Create Your Own Policy.

    Create your own policy in AWS

  6. Under Review Policy, provide a Policy Name, for example CloudAppSecurityPolicy.

    Review policy in AWS

  7. Then paste the following script into the Policy Document field and click Create policy:

    {  
      "Version" : "2012-10-17",  
      "Statement" : [{  
          "Action" : [  
            "cloudtrail:DescribeTrails",  
            "cloudtrail:LookupEvents",  
            "cloudtrail:GetTrailStatus",  
            "cloudwatch:Describe*",  
            "cloudwatch:Get*",  
            "cloudwatch:List*",  
            "iam:List*",  
            "iam:Get*"  
          ],  
          "Effect" : "Allow",  
          "Resource" : "*"  
        }  
      ]  
     }  
    
  8. Back in the Add user screen, refresh the list if necessary, and select the user you created, and click Next Review.

    Review user policy in AWS

  9. If all the details are correct, click Create user.

    User permissions in AWS

  10. When you get the success message, click Download .csv to save a copy of the new user's credentials, you need these later.

    Download csv in AWS

  11. In the AWS console, click Services and then under Management Tools click CloudTrail.

    AWS CloudTrail

    If you have not used CloudTrail before, click Get Started and set it up by providing a name and selecting the appropriate S3 bucket and click Turn On. To make sure you have complete coverage, set Apply to all regions to Yes.

    Turn on CloudTrail in AWS

    You should see the new CloudTrail name in the Trails list.

    CloudTrail list in AWS

  12. In the Cloud App Security portal, click Investigate and then Connected apps.

  13. In the App connectors page, click the plus sign followed by AWS.

    connect AWS

  14. In the pop-up, paste the Access key and Secret key from the csv file into the relevant fields, and click Connect.
    Connect AWS app

  15. Make sure the connection succeeded by clicking Test API.

    Testing may take a couple of minutes. When it is finished, you get a Success or Failure notification. After receiving a success notice, click Done.

After connecting AWS, you will receive events for seven days prior to connection. If you just enabled CloudTrail, in which case you receive events from the time you enabled CloudTrail.

See Also

Control cloud apps with policies
For technical support, visit the Cloud App Security assisted support page.
Premier customers can also choose Cloud App Security directly from the Premier Portal.