System Requirements:
- EDR Client 3.5 or later
- EDR Client Extension 3.5 or later
- An Amazon Web Services (AWS) S3 Bucket
- An IAM user account with programmatic PutObject access to the S3 Bucket.
NOTE: The responsibilities of customers include the following:
- Costs of the AWS S3 bucket
- Making sure that all AWS-related security settings, service use, and service configurations are implemented in accordance with the IT and Security policies. These settings must be monitored regularly for continuity of operation and compliance with their internal and regulatory policies.
S3 Bucket – Suggested Settings
Customers must review their usage needs for sending traces to S3. The following are a set of suggested settings. Customers must make sure that they choose a configuration that meets their functional and security needs.
| Setting |
Suggested Value |
Comment |
| Bucket Versioning |
Enabled |
Enabling Bucket Versioning makes sure that if the AWS access key and secret key become compromised, existing trace data can't be over-written.
For details, see this AWS documentation. |
| Default Encryption |
Enabled |
To make sure trace data is encrypted at rest in S3, choose either Amazon S3 key (SSE-S3) or AWS Key Management Service Key (SSE-KMS).
For details, see this AWS documentation. |
| AWS CloudTrail Data Event |
Configured |
Configure AWS CloudTrail to create a log of S3 API calls.
For details, see this AWS documentation. |
IAM Permissions – Suggested Policies:
An IAM user needs to be created to write traces to the appropriate S3 bucket. The access key and secret key for this user is entered in the
ePO EDR Client Extension and distributed securely to EDR endpoints. It's advised that only the minimum needed permissions are given to this user.
The following suggested policy only allows write or
PutObject access to a specific bucket name and prefix:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucketname>/<prefix>"
}
]
}
A different user with a targeted policy must be used for reading traces from the EDR bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3::: <bucketname>/<prefix>”
},
{
“Sid”: “VisualEditor1”,
“Effect”: “Allow”,
“Action”: [
“s3:ListBucketVersions”,
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3::: <bucketname>”
]
}
]
}
Other Considerations:
AWS implements a limit of 3,500 Put requests per second per prefix in an S3 bucket. If this threshold is consistently reached, it causes the local EDR client buffers to reach their limits and some traces are lost. When scaling up to many endpoints, you must segment the endpoints in ePO into groups that use different buckets or prefixes to avoid hitting the limits.
For details, seee
KB51417 - How to create and apply tags in ePolicy Orchestrator.
