ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Discovered S3 buckets are not being scanned by NRTS or are not showing as protected in the CWP:S console.

book

Article ID: 187847

calendar_today

Updated On:

Products

Cloud Workload Protection for Storage

Issue/Introduction

 
After discovering S3 buckets, files are not being scanned and/or in the CWP:S console the buckets are not listed as "Protected".

Cause

During the discovery of S3 buckets if an SNS topic is already assigned, CWP:S will not set the S3 bucket to the CWP:S created SNS.  
 
For CWP:S to perform Near Real-Time scanning of S3 buckets the CWP:S SQS must be subscribed to the SNS assigned to the S3 bucket.  Additionally, to list a bucket as "Protected" CWP:S must be able to enumerate the subscriptions on the assigned SNS.

Resolution

To resolve these issues two tasks must be completed.
 
Create subscription for the CWP:S SQS on the SNS topic to enable NRTS.
 
    1.  Login to the AWS console.
    2.  Navigate to Simple Queue Service (SQS) page.
    3.  Locate and select the CWP:S SQS object (Usually named CWPForStorage_OnAccessQueue
    4.  Copy the arn for the CWP:S SQS
    5.  Navigate to Simple Notification Service (SNS) page and choose "Topics".
    6.  Locate the topic assigned to the S3 bucket and click on the hyperlinked name of the bucket.
    7.  On the “Subscriptions” tab click “Create subscription”.
    8.  On “Create subscription” page, select the protocol as “Amazon SQS
    9.  Once protocol is selected, “Endpoint” field will appear.  Provide the SQS ARN of the CWP:S SQS collected previously.
    10.  Click “Create Subscription”
 
Configure all intermediary SNS topics to allow CWP:S to enumerate subscriptions to allow S3 buckets to be listed as "Protected".
 
Note:  The term "Intermediary" is used to define each SNS between the S3 bucket and the CWP:S SQS.  It is possible to daisy chain SNS to other SNS.  If this has been done all Intermediary SNS must have this process performed.
 
    1.  Login to the AWS console.
    2.  Navigate to the CloudFormation (CF) page and click Stacks
    3.  Locate the CWP:S stack servicing the S3 bucket and click the hyperlinked name.
    4.  Click the "Resource" tab and locate ControllIAMRole and click the hyperlinked name.
    5.  On the new page, copy the Role ARN
    6.  Navigate to Simple Notification Service (SNS) page and choose "Topics".
    7.  Select the radio button for the intermediary SNS topic and click "Edit".
    8.  Expand "Access policy - optional".
    9.  Add following permissions as an additional statement object to the existing permissions.
 
        {
           "Sid": "2",
           "Effect": "Allow",
           "Principal": {
               "AWS": "REPLACE_THIS_WITH_ARN_OF_THE_CONTROLLERIAM_ROLE_IN_THE_DEPLOYED_STACK"
           },
           "Action": "sns:listSubscriptionsByTopic",
           "Resource": "REPLACE_THIS_WITH_ARN_OF_THE_INTERMEDIARY_SNS"
        }
 
10.  Save the changes.
 

Additional Information

Example Mock-up of permissions change:
 
{
     "Version": "2008-10-17",
     "Id": "Security_Policy",
     "Statement": [
           {
                "Sid": "Existing_Security_Object",
                "Effect": "Allow",
                "Principal": {
                      "AWS": "*"
                 },
                "Action": [
                      "SNS:GetTopicAttributes",
                      "SNS:SetTopicAttributes",
                      "SNS:AddPermission",
                      "SNS:RemovePermission",
                      "SNS:DeleteTopic",
                      "SNS:Subscribe",
                      "SNS:ListSubscriptionsByTopic",
                      "SNS:Publish",
                      "SNS:Receive"
                 ],
                 "Resource": "arn:aws:sns:us-west-1:488888888888:NON-CWPS-Example-SNS",
                  "Condition": {
                          "StringEquals": {
                                "AWS:SourceOwner": "488888888888"
                          }
                  }
            },
            {
                    "Sid": "2",
                    "Effect": "Allow",
                    "Principal": {
                          "AWS": "arn:aws:iam::488888888888:role/Controller/Test-ControllerIAMRole-VLOIJIY9XSY"
                    },
                    "Action": "sns:listSubscriptionsByTopic",
                    "Resource": "arn:aws:sns:us-west-1:488888888888:NON-CWPS-Example-SNS"
            }
      ]
}