Skip to main content
Skyhigh Security

Configure AWS in Skyhigh CASB

When integrating Skyhigh CASB for AWS, you will use the Account Settings page to enter your AWS account information. You can also choose to upload a CSV file of all AWS account information. 

Before you begin, make sure you've created an Identity and Access Management (IAM) role in your AWS account to grant access to Skyhigh CASB. Assign the permission template "ReadOnlyAccess" to this role. Skyhigh CASB's Account ID and External ID are specific to you and will be available on the Skyhigh CASB dashboard while enabling AWS integration.

Step 1: Create IAM Roles

To create an IAM Role in AWS with the required permissions:

  1. Login to your AWS account and select IAM from the services menu.
  2. Go to Users > Roles > Create role.
  3. Select Another AWS account, and copy the AWS account ID and external ID from the Skyhigh CASB dashboard into the AWS.
  4. Select the ReadOnlyAccess permission.
  5. Enter the preferred Role name. For example, skyhigh_for_aws_role. For more information, see Configure Skyhigh CASB IAM Roles for AWS
  6. Click the role name in AWS and copy the Role ARN.
  7. Paste the Role ARN into Skyhigh CASB (refer to the instructions in Step 2: Integrate AWS).

Step 2: Integrate AWS

To integrate AWS:

  1. Login to Skyhigh CASB and go to Settings > Service Management.
  2. Click Add Service Instance and select Amazon Web Services (AWS)
  3. Add an Instance Name and click Done.
  4. You are redirected to the Account Settings page. Select the features you want to enable for your AWS account:
    • DLP. Select this option to automatically enable the Near Real Time and On Demand Scan
      • Select Near Real Time to enable NRT DLP scan. For details, see Near Real Time DLP and Malware Scan.
      • Select On Demand Scan to provide Data Loss Prevention (DLP) protection to files stored in Amazon S3 Buckets. 
    • Activity Monitoring. Select this option to monitor the activity of AWS users and detect risk activity trends for the entire organization over time. If you do not select this option, you don't need to provide AWS Bucket names to Skyhigh CASB. Learn more
    • Security Configuration Audit. Select this option to automatically enable the configuration audit and real-time configuration audit policies. Learn more
  5. Click Next. Review the mandatory prerequisites, click the checkbox, and click Next.
  6. Under Add Accounts, choose any method to provide AWS account information to Skyhigh CASB:
    • Enter my account info manually. Choose this option, then type each AWS account's Role ARN, Preferred Name, and AWS Bucket Name (if you have enabled Activity Monitoring). To add multiple AWS account details, click Add.
    • Upload a CSV with account info. Choose this option only if you have a CSV file in the following format. To upload a CSV file, click Upload CSV.
      role-arn, preferred-name, aws-bucket-name
      role-arn, preferred-name, aws-bucket-name

NOTE: If you have not enabled Activity Monitoring in the Account Settings page, you do not need to provide the Bucket Names.

  1. To authenticate the information of your AWS account, click Authenticate Accounts.
  2. On the unsuccessful authentication, you are redirected to the error screen. You can go back and fix the errors or if you do not want to fix the errors, click Continue With Error

NOTE: Some features might not work as expected if you click Continuing With Error.

  1. On successful authentication, view the message as Authentication Complete. Click Done.
    AWS integration complete 3.6.2.png
  2. Complete the further steps and go to Policies & Notifications.
  3. Select the pre-populated email ID(s) to notify any Configuration Audit Policy violation incidents. Alternatively, you can manually enter an email in the description box. For details, see Configure Account Administrator Email Notification.
  4. Click Next.
  5. On the Summary page, verify your settings and to complete the integration, click Save.
  • Was this article helpful?