Configuring policy with security token service

Using the Security Token Service (STS) method provides greater security in that you can completely control Forcepoint ONE SSE access to your AWS S3 tenant.

The STS option sees Forcepoint ONE SSE as an external user that is granted temporary access via an AWS Role ARN to S3. At any time you may revoke or limit Forcepoint ONE SSE ability to access S3 by adjusting the Role ARN policy or deleting it outright.

Steps

  1. When adding the AWS tenant in Forcepoint ONE SSE, select Security Token Service. You will be provided with a Bitglass Account ID and an External ID and instructed to create an Amazon IAM role with that information:


  2. Copy the Account ID and External ID.
  3. Log into AWS and navigate to the Services > Security, Identity, & Compliance > IAM page and further navigate to Access management > Roles.
  4. Click Create Role at the top of the page.
  5. Select AWS Account, and then select the Another AWS account to enter the Account ID from the Forcepoint ONE SSE portal. Check the box for Require external ID and then copy over the External ID from the Forcepoint ONE SSE portal and then click Next to open the Add permissions page.


  6. On the Add Permissions page, locate the policy that you created at the beginning of this guide page and select it. Then click Nextat the bottom to open Name, review, and create page.


  7. On the Name, review, and create page, give a name to the Role, a description, add tags if any and then click Create Role.


  8. Once created, you can locate the role you just created and copy the Role ARN. Back on the Add AWS Tenant dialog, provide a name for the tenant (same name as the Role ARN you created) and paste the copied Role ARN information and then clickContinue. If correct, the entry should be saved and will display the additional options for selecting which Buckets to scan and the DLP patterns to match on: