Preparing and Registering AWS
Configure AWS for authentication using an IAM User or an IAM role, using within-account or cross-account logging. Configure an identity provider (IDP) for single sign-on if users log in to AWS through an IDP.
The steps to connect your AWS accounts to Oracle CASB Cloud Service are different, depending on several parameters of your AWS architecture.
-
Monitoring can be configured in two ways:
-
By using an IAM User as the dedicated service account.
-
By using an IAM Role in lieu of the dedicated service account.
-
-
Logging can also be configured in two ways:
-
Within-account logging, in which each AWS account maintains CloudTrail logs within that same account.
-
Cross-account logging, in which some or all AWS source accounts (source accounts) send their CloudTrail logs to a single target account’s S3 bucket.
-
To set up AWS for monitoring by Oracle CASB Cloud Service
If you prefer that Oracle CASB Cloud Service uses IAM Users to monitor your AWS instances:
-
If users log in to AWS using a supported IDP for single sign-on, start with Setting Up an Identity Provider Instance.
Note:
You can register your AWS instance without an IDP configured and add the IDP at a future time. See Updating the IDP Instance for an AWS Instance. -
Then go to Using an IAM User: Creating and Registering a Dedicated Service User.
-
Then, if you use cross-account logging, continue with Using an IAM User: Adding Source Dedicated Service Users for Cross-Account Logging.
If your AWS architecture uses an IAM Role to monitor your AWS instances:
-
If users log in to AWS using a supported IDP for single sign-on, start with Setting Up an Identity Provider Instance
Note:
You can register your AWS instance without an IDP configured and add the IDP at a future time. See Updating the IDP Instance for an AWS Instance. -
Then go to Using an IAM Role: Creating a Dedicated Service Role.
-
Then, if you use cross-account logging, continue with Using an IAM Role: Adding Source Dedicated Service Roles for Cross-Account Logging.
Using an IAM Role: Creating a Dedicated Service Role
Enable CloudTrail, and then create and register a dedicated account.
Using an IAM Role: Enabling CloudTrail
In order for CASB Cloud Service to monitor your AWS account, you must first enable both CloudTrail and S3 services.
What to Do Next
Continue with Using an IAM Role: Creating and Registering a Dedicated Service Role.
Using an IAM Role: Creating and Registering a Dedicated Service Role
Create a dedicated AWS account and add or register the account with Oracle CASB Cloud Service for monitoring.
To watch a video that provides an overview of the steps in this task, see Creating and Registering a Target AWS Account Using an IAM Role.
-
You have successfully completed the steps in Using an IAM Role: Enabling CloudTrail.
-
If users log in to AWS through an identity provider, you have already created an identity provider instance in Oracle CASB Cloud Service. See Setting Up an Identity Provider Instance.
Initial data typically begins to appear in 30 minutes to 2 hours, but can take longer in some cases. For status, check the Dashboard. If no data appears within 24 hours, contact Oracle Support.
You have successfully registered your AWS account with Oracle CASB Cloud Service, using an IAM user role to authenticate.
Next Steps
-
If you are setting up cross-account logging, you have completed setup of your target account. Continue with Using an IAM Role: Adding Source Dedicated Service Roles for Cross-Account Logging.
-
If you do not want to set up cross-account logging, you are done.
Using an IAM Role: Adding Source Dedicated Service Roles for Cross-Account Logging
For cross-account logging, add more AWS instances as source accounts and direct their logs to the S3 bucket created for the first account, which now becomes the target account.
Using an IAM Role: Setting Up the First Source Dedicated Service Role
The steps to add the first source account for cross-account logging are unique. You perform these steps only once.
To watch a video that provides an overview of the steps in this task, see Creating and Registering a Source AWS Account using an IAM Role.
Cross-account logging is a configuration in Amazon Web Services that allows users to pipe CloudTrail log data from one account to another account’s S3 bucket.
The account that you set up in Using an IAM Role: Creating a Dedicated Service Role becomes the target account — all logs from the source accounts, the additional AWS accounts you create and register with Oracle CASB Cloud Service, are piped into the S3 bucket of this target account.
-
Complete all the tasks in Using an IAM Role: Creating a Dedicated Service Role.
-
Create the source account in AWS.
-
Get the Oracle CASB Cloud Service Account ID for the AWS source account for which you want logging to be consolidated into the S3 bucket in the hub account through cross-account logging.
Note:
To complete this procedure, you will need to open the AWS console in two different browsers. For example, Chrome and Firefox. You can’t access two different accounts at the same time in the AWS account using the same browser in two different windows or tabs.What to Do Next
Continue with Using an IAM Role: Creating and Registering a Source Dedicated Service Role.
Using an IAM Role: Setting Up an Additional Source Dedicated Service Role
After you set up the first source account for cross-account logging, the steps to set up additional source accounts are the same. Repeat these steps for each additional source account.
To watch videos that provide an overview of the steps in this task, see:
Prerequisites:
-
Complete all the tasks in Using an IAM Role: Creating a Dedicated Service Role.
-
Complete all the steps in Using an IAM Role: Setting Up the First Source Dedicated Service Role.
-
Create the source account in AWS.
-
Get the Oracle CASB Cloud Service Account ID for the AWS source account for which you want logging to be consolidated into the S3 bucket in the hub account through cross-account logging.
Note:
To complete this procedure, you will need to open the AWS console in two different browsers. For example, Chrome and Firefox. You can’t access two different accounts at the same time in the AWS account using the same browser in two different windows or tabs.What to Do Next
Continue with Using an IAM Role: Creating and Registering a Source Dedicated Service Role.
Using an IAM Role: Creating and Registering a Source Dedicated Service Role
Create a role for the source account in AWS, begin registering the account in Oracle CASB Cloud Service to get the External ID, return to AWS to enter the External ID and set necessary permissions, and then complete the registration.
To watch a video that provides an overview of the steps in this task, see Creating and Registering a Source AWS Account using an IAM Role.
Initial data typically begins to appear in 30 minutes to 2 hours, but can take longer in some cases. For status, check the Dashboard. If no data appears within 24 hours, contact Oracle Support.
You have successfully registered your AWS account with Oracle CASB Cloud Service, using an IAM user role to authenticate.
Next Steps
-
If you need to set up another AWS source account, continue with Using an IAM Role: Setting Up an Additional Source Dedicated Service Role.
-
If you do not need to set up another AWS source account, you are done.
Using an IAM User: Creating and Registering a Dedicated Service User
This IAM User is the only account that you configure for within-account logging. In cross-account logging, this IAM User is the first, or target, AWS account that you configure.
Using an IAM User: Enabling CloudTrail
In order for CASB Cloud Service to monitor your AWS account, you must first enable CloudTrail.
Enabling CloudTrail allows the IAM account to monitor the AWS services from the CloudTrail logs stored in S3.
To watch a video that provides an overview of the steps in this task, see Enabling CloudTrail and S3.
What to Do Next
Continue with Using an IAM User: Creating a Dedicated Service User.
Using an IAM User: Creating a Dedicated Service User
Create the IAM user for Oracle CASB Cloud Service to monitor a standalone or target AWS account.
To watch a video that provides an overview of the steps in this task, see Creating a Dedicated Service Account for monitoring AWS (Target).
The IAM user account you create is called a dedicated service account because it should be reserved exclusively for use by Oracle CASB Cloud Service. No human, or other automated process should ever log into this account.
-
You have successfully completed the steps in Using an IAM User: Enabling CloudTrail.
-
If users log in to AWS through an identity provider, you have already created an identity provider instance in Oracle CASB Cloud Service. See Setting Up an Identity Provider Instance.
Note:
You can register your AWS instance without an IDP configured and add the IDP at a future time. See Updating the IDP Instance for an AWS Instance.
What to Do Next
Continue with Using an IAM User: Registering the Dedicated Service User.
Using an IAM User: Registering the Dedicated Service User
Register the AWS account for the dedicated service user, that you just created, in Oracle CASB Cloud Service.
To watch a video that provides an overview of the steps in this task, see Registering an AWS Account using a Dedicated Service Account (Target).
Prerequisites:
You have successfully completed the steps in Using an IAM User: Creating a Dedicated Service User.
Initial data typically begins to appear in 30 minutes to 2 hours, but can take longer in some cases. For status, check the Dashboard. If no data appears within 24 hours, contact Oracle Support.
You have successfully registered your AWS account with Oracle CASB Cloud Service, using an IAM user role to authenticate.
-
If you are setting up cross-account logging, you have completed setup of your target account. Continue with Using an IAM User: Adding Source Dedicated Service Users for Cross-Account Logging
-
If you do not want to set up cross-account logging, you are done.
Using an IAM User: Adding Source Dedicated Service Users for Cross-Account Logging
For cross-account logging, add more AWS accounts as source accounts and direct their logs to the S3 bucket created for the target account.
Using an IAM User: Setting Up the First Source Dedicated Service User
Create the IAM user for Oracle CASB Cloud Service to monitor of source AWS accounts.
The account you create is called a dedicated service account because it should be reserved exclusively for use by Oracle CASB Cloud Service. No human, or other automated process should ever log into this account.
The steps to add the first source account for cross-account logging are unique. You perform these steps only once.
Cross Account logging is a configuration in AWS that allows users to log CloudTrail data from one AWS account to another AWS account’s S3 bucket.
The account that you set up in Using an IAM User: Creating a Dedicated Service User becomes the target account — all logs from the source accounts, the additional AWS accounts you create and register with Oracle CASB Cloud Service, are sent to the S3 bucket of this target account.
-
Complete all the tasks in Using an IAM User: Creating and Registering a Dedicated Service User.
-
Get the Oracle CASB Cloud Service Account ID for the AWS source account for which you want logging to be consolidated into the S3 bucket in the target account through cross-account logging.
Note:
To complete this procedure, you may want to open the AWS console in two different browsers. For example, Chrome and Firefox. You can’t access two different AWS accounts at the same time in the AWS account using the same browser.Using an IAM User: Setting Up Cross-Account Logging
Set up cross-account logging, often referred to as x-acct logging.
To watch a video that provides an overview of the steps in this task, see DSA: Turn on Cross-Account Logging in AWS.
What to Do Next
Continue with Using an IAM User: Creating the First Source Dedicated Service User.
Using an IAM User: Creating the First Source Dedicated Service User
Set up the IAM User dedicated service account for cross-account logging, often referred to as x-acct logging.
To watch a video that provides an overview of the steps in this task, see Registering an AWS Account using a Dedicated Service Account (Source).
What to Do Next
Continue with Using an IAM User: Registering an Additional Source Dedicated Service User.
Using an IAM User: Setting Up an Additional Source Dedicated Service User
Set up another source account to be used in cross-account logging.
The account you create is called a dedicated service account because it should be reserved exclusively for use by Oracle CASB Cloud Service. No human, or other automated process should ever log into this account.
To watch a video that provides an overview of the steps in this task, see Registering an AWS Account using a Dedicated Service Account (Source).
Prerequisites: Create and register the first source account, by completing the steps in:
Set Up an Additional Source Dedicated Service User
What to Do Next
Continue with Using an IAM User: Registering an Additional Source Dedicated Service User.
Using an IAM User: Registering an Additional Source Dedicated Service User
Register the source account, that you just created, for monitoring by Oracle CASB Cloud Service.
To watch a video that provides an overview of the steps in this task, see Registering an AWS Account using a Dedicated Service Account (Source).
Prerequisites: You should have just completed the steps in either Using an IAM User: Setting Up the First Source Dedicated Service User, or Using an IAM User: Setting Up an Additional Source Dedicated Service User.
Initial data typically begins to appear in 30 minutes to 2 hours, but can take longer in some cases. For status, check the Dashboard. If no data appears within 24 hours, contact Oracle Support.
You have successfully registered your AWS account with Oracle CASB Cloud Service, using an IAM user role to authenticate.
Next Steps
-
If you need to set up another AWS source account, continue with Using an IAM User: Setting Up an Additional Source Dedicated Service User.
-
If you do not need to set up another AWS source account, you are done.
Security Control Values for AWS (Monitor Only/Read Only)
Review the AWS security controls that Oracle CASB Cloud Service monitors in monitor-only mode, together with the values for their stringent settings.
After registering the AWS instance in monitor-only mode, Oracle CASB Cloud Service displays security control alerts if the security control values in AWS deviate from the Oracle CASB Cloud Service baseline values for these controls.
These settings appear in the following locations in AWS:
-
Password policies: The IAM, Account settings section of the AWS administration console.
-
SSH and user keys: Oracle CASB Cloud Service checks the age of all user and EC2 SSH keys.
-
Multifactor authentication: The IAM, Users section of the AWS administration console.
-
Encryption and secure ports: Oracle CASB Cloud Service checks the encryption and port settings in network access control lists (ACLs) for all EC2 instances in an account.
The following describes Oracle CASB Cloud Service's default settings. In general, these settings are more stringent than the default settings within AWS.
Security Control Type | Security Control Name | Stringent Settings: Alert When This Value Is Changed | Description |
---|---|---|---|
Password policy |
Minimum password length |
10 characters |
The longer a password is, the harder it is to crack. |
Password policy |
Require at least one uppercase letter |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one lowercase letter |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one number |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one non-alphanumeric character |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Allow users to change their own password |
On |
Users are more likely to update passwords when this activity is under their control. |
Password policy |
Password expiration period (in days) |
30 |
The more frequently a password is updated, the harder it is to crack. |
Password policy |
Number of passwords to remember |
10 |
Reused passwords open a window for an attacker to make use of an old password. |
Password policy |
Password expiration requires administrator reset |
On |
When passwords expire, this indicates an unused account. It’s a best practice to not let accounts sit idle. |
Setting |
Number of days for an SSH key to be considered old |
30 |
SSH keys authenticate AWS EC2 instances. The more frequently these keys are updated, the harder they are to crack. |
Setting |
Number of days for an IAM key to be considered old |
90 |
IAM keys authenticate AWS administrative users. The more frequently these keys are updated, the harder they are to crack. |
Access controls |
Require the root user to use multi-factor authentication |
On |
Multifactor authentication requires a user to enter more than one credential when logging in (for example, a password and a one-time code). This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Require the admin users to use multi-factor authentication |
Off |
The setting above applies only to the root user. This setting applies to all other admin users. |
Access controls |
Make sure that all S3 server buckets are encrypted |
On |
It’s a best practice to keep data at rest in encrypted form. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check public access acl enabled s3 buckets |
On |
This setting enables monitoring of S3 buckets with public access enabled through an ACL. |
Access controls |
Check cloud trails those stores logs less than two weeks |
On |
This setting requires at least two weeks of data to be retained in CloudTrail logs. There are two ways to retain data: through CloudTrail's configured S3 bucket, and through CloudTrail's configured CloudWatch logs. |
Access controls |
Require multi-factor authentication when deleting an S3 bucket |
On |
Deleting an S3 bucket means removing a data store. This is a sensitive operation and should require the extra security that multifactor authentication provides. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
VPCs whose flow logs are not stored as per standard |
On |
This setting causes Oracle CASB Cloud Service to flag VPCs whose flow logs are not stored according to standard guidelines. |
Access controls |
Check ec2 instances termination protection |
On |
This setting enables monitoring of termination protection for EC2 instances. |
Access controls |
Require security group checking for unsecured ports |
Off |
AWS manages critical organizational infrastructure. Security group checking provides an additional layer of security in the event that a port was left open to the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Require network ACLs to use secure open ports |
Off |
AWS services listen for traffic on ports. These ports should require secure (encrypted) communication so that sensitive information isn’t transmitted in the clear. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. This setting can only be enabled when the security control baseline for the application instance is set to Custom. |
Access controls |
Do not let network ACLs have Allow All set as the default |
On |
Allow All means that the access control list (ACL) provides access to anyone on the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check use of Route 53 hosted zones |
On |
Amazon's Route 53 service maps domain name system (DNS) queries to numeric IP addresses. It routes end users to Internet applications by translating domain names (for example, This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check use of Route 53 health checks |
On |
Amazon Route 53 maps domain name system (DNS) queries to numeric IP addresses. Route 53 health checks ensure that your web resources that reside at these IP addresses are functional before directing traffic to them. Oracle CASB Cloud Service doesn’t monitor for Route 53 health checks in private hosted zones. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check EBS volume encryption status |
On |
Amazon Elastic Block Store (EBS) volumes provide incremental backup for Amazon Elastic Compute Cloud (EC2) instances. Encryption of these volumes prevents unauthorized access to the data on them. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check RDS encryption status |
On |
Amazon Relational Database Service (RDS) is a relational database in the cloud. Ensure that RDS encryption is enabled to prevent unauthorized access to the information stored in the database. Amazon RDS handles authentication, access, and decryption of data transparently with minimal impact on performance. Amazon RDS encryption also helps to fulfill compliance requirements for data-at-rest encryption. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Security Control Values for AWS (Push Controls/Read-Write)
Review the AWS security controls that Oracle CASB Cloud Service monitors for push-controls mode, together with the values for their stringent settings.
After you register the AWS instance in push controls mode, Oracle CASB Cloud Service pushes your selected security control values to the related AWS account. Later, it displays security control alerts if anyone changes these values.
These settings appear in the following locations in AWS:
-
Password policies: The IAM, Account settings section of the AWS administration console.
-
SSH and user keys: Oracle CASB Cloud Service checks the age of all user and EC2 SSH keys.
-
Multifactor authentication: The IAM, Users section of the AWS administration console.
-
Encryption and secure ports: Oracle CASB Cloud Service checks the encryption and port settings in network access control lists (ACLs) for all EC2 instances in an account.
After registration, if anyone lowers these values in the application, Oracle CASB Cloud Service generates a risk event in Risk Events.
The following describes Oracle CASB Cloud Service's default settings. In general these are more stringent than the default settings within AWS. You also can define custom settings for these controls.
Security Control Type | Security Control Name | Stringent Settings: Alert when this Value Is Changed | Description |
---|---|---|---|
Password policy |
Minimum password length |
10 characters |
The longer a password is, the harder it is to crack. |
Password policy |
Require at least one uppercase letter |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one lowercase letter |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one number |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Require at least one non-alphanumeric character |
On |
The more complex a password is, the harder it is to crack. |
Password policy |
Allow users to change their own password |
On |
Users are more likely to update passwords when this activity is under their control. |
Password policy |
Password expiration period (in days) |
30 |
The more frequently a password is updated, the harder it is to crack. |
Password policy |
Number of passwords to remember |
10 |
Reused passwords open a window for an attacker to make use of an old password. |
Password policy |
Password expiration requires administrator reset |
On |
When passwords expire, this indicates an unused account. It’s a best practice to not let accounts sit idle. |
Setting |
Number of days for an SSH key to be considered old |
30 |
SSH keys authenticate AWS EC2 instances. The more frequently these keys are updated, the harder they are to crack. |
Setting |
Number of days for an IAM key to be considered old |
90 |
IAM keys authenticate AWS administrative users. The more frequently these keys are updated, the harder they are to crack. |
Access controls |
Require the root user to use multi-factor authentication |
On |
Multifactor authentication requires a user to more than one credential when logging in (for example, a password and a one-time code). This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Require the admin users to use multi-factor authentication |
Off |
The setting above applies only to the root user. This setting applies to all other admin users. When the security control baseline for the application instance is set to Custom, you can specify IAM groups to which this setting applies. Expand IAM group name(s) allowed and enter one or more admin group names in the IAM admin groups which need to be considered field. |
Access controls |
Make sure all S3 server buckets are encrypted |
On |
It’s a best practice to keep data at rest in encrypted form. |
Access controls |
Check public access acl enabled s3 buckets |
On |
This setting enables monitoring of S3 buckets with public access enabled through an ACL. |
Access controls |
Check cloud trails those stores logs less than two weeks |
On |
This setting requires at least two weeks of data to be retained in CloudTrail logs. There are two ways to retain data: through CloudTrail's configured S3 bucket, and through CloudTrail's configured CloudWatch logs. |
Access controls |
Require multi-factor authentication when deleting an S3 bucket |
On |
Deleting an S3 bucket means removing a data store. This is a sensitive operation and should require the extra security that multifactor authentication provides. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
VPCs whose flow logs are not stored as per standard |
On |
This setting causes Oracle CASB Cloud Service to flag VPCs whose flow logs are not stored according to standard guidelines. |
Access controls |
Check EC2 instance termination protection |
On |
This setting enables monitoring of termination protection for EC2 instances. |
Access controls |
Require security group checking for unsecured ports |
On |
AWS manages critical organizational infrastructure. Security group checking provides an additional layer of security in the event that a port was left open to the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Require network ACLs to use secure open ports |
On |
AWS services listen for traffic on ports. These ports should require secure (encrypted) communication so that sensitive information is not transmitted in the clear. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. This setting can only be enabled when the security control baseline for the application instance is set to Custom. |
Access controls |
Do not let network ACLs have Allow All set as the default |
On |
Allow All means that the access control list (ACL) provides access to anyone on the internet. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check use of Route 53 hosted zones |
On |
Amazon's Route 53 service maps domain name system (DNS) queries to numeric IP addresses. It routes end users to internet applications by translating domain names (for example, This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check use of Route 53 health checks |
On |
Amazon Route 53 maps domain name system (DNS) queries to numeric IP addresses. Route 53 health checks ensure that your web resources that reside at these IP addresses are functional before directing traffic to them. Oracle CASB Cloud Service doesn’t monitor for Route 53 health checks in private hosted zones. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check EBS volume encryption status |
On |
Alert if Elastic Block Store (EBS) is not encrypted. Exceptions for Instances: Enter volume ID of AWS instance. Separate multiple volume IDs with commas. Exceptions for Tags: Enter <tag-key-name>:[<value>]. Separate multiple values with commas. Separate multiple tag key names and value lists with commas: <tag-key-name1>:[<key1-value1>, <key1-value2>, ...], <tag-key-name1>:[<key1-value1>, <key1-value2>, ...] Background Information: Amazon Elastic Block Store (EBS) volumes provide incremental backup for Amazon Elastic Compute Cloud (EC2) instances. Encryption of these volumes prevents unauthorized access to the data on them. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
Access controls |
Check RDS encryption status |
On |
Alert if Relational Database Service (RDS) is not encrypted. Exceptions for Instances: Enter volume ID of AWS instance. Separate multiple volume IDs with commas. Exceptions for Tags: Enter <tag-key-name>:[<value>]. Separate multiple values with commas. Separate multiple tag key names and value lists with commas: <tag-key-name1>:[<key1-value1>, <key1-value2>, ...], <tag-key-name1>:[<key1-value1>, <key1-value2>, ...] Background Information: Amazon Relational Database Service (RDS) is a relational database in the cloud. Ensure that RDS encryption is enabled to prevent unauthorized access to the information stored in the database. Amazon RDS handles authentication, access, and decryption of data transparently with minimal impact on performance. Amazon RDS encryption also helps to fulfill compliance requirements for data-at-rest encryption. This setting and the other access controls on this page aren’t available as a security setting in the AWS administration console. However, when enabled, Oracle CASB Cloud Service monitors this resource and generates an alert when the feature isn’t enabled. |
AWS Registration Errors
Learn how to troubleshoot the errors you may receive when you add or register an AWS instance.
Validation Failed: Credentials or Permissions Issues
Troubleshoot errors about invalid keys, inadequate permissions, or a cross-account logging problem.
Message text: Validation failed for one of these reasons:
-
Invalid access key or secret key.
-
This user needs additional permissions to access the AWS logs.
-
If you set up cross-account logging, ensure that this user has a cross-account role in the target account.
Description: To successfully register this application instance, ensure that all of the following are done:
-
In each AWS account that you want Oracle CASB Cloud Service to monitor, you need to create a dedicated identity and access management (IAM) user. You supply this user's access key and secret key when you register the account with Oracle CASB Cloud Service. If you received this message, this user's keys may have expired, or you may have supplied incorrect keys for this user.
For more information about creating the Oracle CASB Cloud Service user and the user's access keys, see Using an IAM User: Creating a Dedicated Service User if you are using IAM users to monitor your AWS instances, or Using an IAM Role: Creating and Registering a Dedicated Service Role if you are using IAM users to monitor your AWS instances.
-
User must have permissions to access the logs from a single account. Ensure that this user has the correct privileges for accessing logs in this single AWS account. See Using an IAM User: Creating a Dedicated Service User if you are using IAM users to monitor your AWS instances, or Using an IAM Role: Creating and Registering a Dedicated Service Role if you are using IAM users to monitor your AWS instances.
-
User must have permissions to access cross-account logs. Make sure that this user has the correct privileges for cross-account logging. See Using an IAM User: Adding Source Dedicated Service Users for Cross-Account Logging if you are using IAM users to monitor your AWS instances, or Using an IAM Role: Adding Source Dedicated Service Roles for Cross-Account Logging if you are using IAM users to monitor your AWS instances.
Validation Failed: Permissions Issues
Troubleshoot errors about user needing additional AWS permissions.
Message text: This user needs additional permissions to access the AWS logs.
Description: Ensure that this user has the correct privileges according to the user’s role. See the topic referenced below for the way Oracle CASB Cloud Service is monitoring your AWS instances, and the context for the account you are trying to register (standalone or first cross-account instance vs. additional cross-account instances).
AWS Monitored by | Standalone AWS Instance or First Instance in Cross-Account Logging | Additional AWS Instances in Cross-Account Logging |
---|---|---|
User |
Using an IAM User: Adding Source Dedicated Service Users for Cross-Account Logging |
|
Role |
Using an IAM Role: Creating and Registering a Dedicated Service Role |
Using an IAM Role: Adding Source Dedicated Service Roles for Cross-Account Logging |
Validation Failed: Logging Configuration Issues
Troubleshoot errors about CloudTrail or S3 bucket.
Message text: Validation failed for one of these reasons:
-
CloudTrail is off.
-
You set up cross-account logging but not every region is sending its logs to the same target S3 bucket.
Description: Ensure that CloudTrail is turned on. See Using an IAM User: Enabling CloudTrail if you are using IAM users to monitor your AWS instances, or Using an IAM Role: Enabling CloudTrail if you are using IAM roles. If you are doing cross-account logging, ensure every that region's logs are going to the same bucket.
Validation Failed: Other Issues
Troubleshoot errors that refer you to the AWS documentation.
This an error that appears when a more precise diagnosis isn’t possible. You will probably need help to troubleshoot the problem.
Message text: AWS error {0}. Refer to the AWS documentation for more information or contact Oracle CASB Cloud Service support for help.
Description: Some registration errors are generated directly from AWS. In this case, you can either consult the AWS documentation to diagnose the error, or contact Oracle CASB Cloud Service support to have a support representative help investigate the issue.
Warning: Enable CloudTrail
Your registration completed successfully, but CloudTrail is not enabled for all S3 buckets..
Message text: Warning: Credentials are valid for this user and you can complete app registration. However, you need to enable CloudTrail for one or more S3 buckets in this account.
Description: Oracle CASB Cloud Service ingests AWS CloudTrail log data and uses the information in the logs to analyze different types of risk. To provide Oracle CASB Cloud Service with this data, you must ensure that CloudTrail is enabled for each S3 bucket in the monitored AWS account.
See Using an IAM User: Enabling CloudTrail if Oracle CASB Cloud Service is using IAM users to monitor your AWS instances, or Using an IAM Role: Enabling CloudTrail if IAM roles are used..