Using the Security Token Service (STS) method provides greater security in that you can completely control Forcepoint ONE SSE access to your AWS S3 tenant.
The STS option sees Forcepoint ONE SSE as an external user that is
granted temporary access via an AWS Role ARN to S3. At any time you may revoke or limit Forcepoint ONE SSE ability to access S3 by adjusting the Role ARN policy or
deleting it outright.
Steps
-
When adding the AWS tenant in Forcepoint ONE SSE, select
Security Token Service. You will be provided with a Bitglass Account ID and an External ID and instructed
to create an Amazon IAM role with that information:
-
Copy the Account ID and External ID.
-
Log into AWS and navigate to the page and further navigate to .
-
Click Create Role at the top of the page.
-
Select AWS Account, and then select the Another AWS account to enter the Account ID from the Forcepoint ONE SSE portal. Check the box for Require external
ID and then copy over the External ID from the Forcepoint ONE SSE portal and then click Next to
open the Add permissions page.
-
On the Add Permissions page, locate the policy that you created at the beginning of this guide page and select it. Then click Nextat
the bottom to open Name, review, and create page.
-
On the Name, review, and create page, give a name to the Role, a description, add tags if any and then click Create Role.
-
Once created, you can locate the role you just created and copy the Role ARN. Back on the Add AWS Tenant dialog, provide a name for the tenant (same name as
the Role ARN you created) and paste the copied Role ARN information and then clickContinue. If correct, the entry should be saved and will display the
additional options for selecting which Buckets to scan and the DLP patterns to match on: