Skip to main content
McAfee MVISION Cloud

Data Storage for Amazon Web Services

The Policy Settings Data Storage tab allows you to configure data storage settings for Match HighlightingIncident Notes, and Policy Incident Remediation

To store your data, you can use McAfee data storage, Microsoft Azure, IBM Cloud, or Amazon Web Services (AWS). 

To configure data storage for AWS:

  1. Go to Policy > Policy Settings
  2. Select the Data Storage tab.
    data_storage_aws_4.3.2.png
  3. Under Data Store, select Your Own
  4. From Data Store Provider, select Amazon Web Services (AWS)
  5. Take note of the MVISION Cloud AWS ID and External ID. You will need these to enter this information in AWS.
  6. In AWS, create a new S3 Bucket. 
  7. To enable Versioning, in the S3 bucket list, select the bucket you just created.
  8. Go to Properties, click Versioning, click Enable versioning, and click Save
  9. Create a new IAM policy and give it the following permissions. Make sure to replace "bucket-name" with the bucket name you created. 
    {
        "Statement": [
            {
                "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation",
                    "s3:ListBucketMultipartUploads",
                    "s3:ListBucketVersions",                           
                    "s3:GetBucketVersioning"                           
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::bucket-name"
                ]
            },
            {
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:AbortMultipartUpload",
                    "s3:ListMultipartUploadParts",
                    "s3:DeleteObjectVersion"                           
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::bucket-name/*"
                ]
            }
        ],
        "Version": "2012-10-17" }"
  10. Name the policy MVISION_Cloud_S3_Storage_Policy.
  11. Create a new IAM Role using type Another AWS account
  12. For Account ID and External ID, use the information from the MVISION Cloud Data Storage tab, then click Next: Permissions

aws_IAM_role.png

  1. Attach the MVISION_Cloud_S3_Storage_Policy policy to this new IAM role.
    aws_attach_role.png
  2. Click Next. Skip the Tabs page. 
  3. Enter the role name MVISION_Cloud_S3_Storage_Role.
    aws_apply_role.png
  4. Click Create role
  5. From the AWS Roles page, select MVISION_Cloud_S3_Storage_Role.
  6. Copy the Role ARN to the clipboard.
    aws_role_arn.png
  7. In MVISION Cloud on the Policy Settings > Data Storage tab, enter the AWS S3 Bucket name. 
  8. Enter the AWS Role ARN.
  9. Select the Region from the menu where the S3 bucket was created. 
  10. Click Test Connection, and look for the success notification. 

IMPORTANT: If the test fails, DO NOT PROCEED. Make sure that the AWS Account ID and External ID are entered correctly in the IAM Role. Also, make sure the AWS Region is correct. For help, contact MVISION Cloud Support

  1. When the test is successful, click Save

Additional JSON Permission Policies

These are additional JSON permissions if you need to lock down the permission to a single MVISION Cloud IP address for additional security.

Goal JSON
Lock down to a single S3 bucket and source IP = SHNPOC. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:List*",
                "s3:Delete*"
                ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "52.8.134.60/32"
                }
            },
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}
Lock down to a single S3 bucket and source IP = GOVCLOUD. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:List*",
                "s3:Delete*"
                ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [

"96.127.68.39/32"
"52.222.51.204/32" 
"52.222.105.173/32" 
"52.61.166.34/32" 
"52.61.93.9/32"
"96.127.50.113/32" 
"96.127.85.251/32" 
"52.61.222.195/32" 

                    ]

                }
            },
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}
Lock down to a single S3 bucket and source IP = PROD.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Put*",
                "s3:List*",
                "s3:Delete*"
                ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [ 

"52.8.140.255/32"
"216.156.214.205/32",
"52.42.179.76/32",
"35.167.156.248/32",
"34.215.230.220/32",
"52.34.250.140/32",
"54.70.91.35/32",
"52.24.211.31/32"

                    ]


                }
            },
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

 

  • Was this article helpful?