NOTE: The responsibilities of customers include:

• Costs of the AWS S3 bucket
• Making sure that all AWS-related security settings, service use, and service configurations are implemented in accordance with the IT and Security policies. These settings must be monitored regularly for continuity of operation and compliance with their internal and regulatory policies.

S3 Bucket – Suggested Settings

Customers must review their usage needs for sending traces to S3. The following are a set of suggested settings. Customers must make sure that they choose a configuration that meets their functional and security needs.
 

Setting	Suggested Value	Comment
Bucket Versioning	Enabled	Enabling Bucket Versioning makes sure that if the AWS access key and secret key become compromised, existing trace data can’t be over-written. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Default Encryption	Enabled	To make sure trace data is encrypted at rest in S3, choose either Amazon S3 key (SSE-S3) or AWS Key Management Service Key (SSE-KMS). See https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
AWS CloudTrail Data Event	Configured	Configure AWS CloudTrail to create a log of S3 API calls. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html

IAM Permissions – Suggested Policies:

An IAM user needs to be created to write traces to the appropriate S3 bucket. The access key and secret key for this user is entered in the ePO EDR Client Extension and distributed securely to EDR endpoints. It is advised that only the minimum needed permissions are given to this user.

The following suggested policy only allows write or PutObject access to a specific bucket name and prefix:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<bucketname>/<prefix>"
        }
    ]
}

A different user with a targeted policy must be used for reading traces from the EDR bucket.

{
    "Version": "2012-10-17",
"Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3::: <bucketname>/<prefix>”
        },
        {
            “Sid”: “VisualEditor1”,
            “Effect”: “Allow”,
            “Action”: [
                “s3:ListBucketVersions”,
                “s3:ListBucket”
            ],
            “Resource”: [
                “arn:aws:s3::: <bucketname>”
            ]
        }
    ]
}