Skip to main content
Skyhigh Security

Data Storage for Amazon Web Services

The Policy Settings Data Storage tab allows you to configure data storage settings for Match HighlightingIncident Notes, and Policy Incident Remediation

To store your data, you can use Skyhigh Security data storage, Microsoft Azure, IBM Cloud, or Amazon Web Services (AWS). 

To configure data storage for AWS:

  1. Go to Policy > Policy Settings
  2. Select the Data Storage tab.
  3. Under Data Store, select Your Own
  4. From Data Store Provider, select Amazon Web Services (AWS)
  5. Take note of the Skyhigh CASB AWS ID and External ID. You will need these to enter this information in AWS.
  6. In AWS, create a new S3 Bucket. 
  7. To enable Versioning, in the S3 bucket list, select the bucket you just created.
  8. Go to Properties, click Versioning, click Enable versioning, and click Save
  9. Create a new IAM policy and give it the following permissions. Make sure to replace "bucket-name" with the bucket name you created. 
        "Statement": [{
                "Action": [
                "Effect": "Allow",
                "Resource": [
            }, {
                "Action": [
                "Effect": "Allow",
                "Resource": [
        "Version": "2012-10-17"
  10. Name the policy MVISION_Cloud_S3_Storage_Policy.
  11. Create a new IAM Role using type Another AWS account
  12. For Account ID and External ID, use the information from the Skyhigh CASB Data Storage tab, then click Next: Permissions


  1. Attach the MVISION_Cloud_S3_Storage_Policy policy to this new IAM role.
  2. Click Next. Skip the Tabs page. 
  3. Enter the role name MVISION_Cloud_S3_Storage_Role.
  4. Click Create role
  5. From the AWS Roles page, select MVISION_Cloud_S3_Storage_Role.
  6. Copy the Role ARN to the clipboard.
  7. In Skyhigh CASB on the Policy Settings > Data Storage tab, enter the AWS S3 Bucket name. 
  8. Enter the AWS Role ARN.
  9. Select the Region from the menu where the S3 bucket was created. 
  10. Click Test Connection, and look for the success notification. 

IMPORTANT: If the test fails, DO NOT PROCEED. Make sure that the AWS Account ID and External ID are entered correctly in the IAM Role. Also, make sure the AWS Region is correct. For help, contact Skyhigh CASB Support

  1. When the test is successful, click Save

Additional JSON Permission Policies

These are additional JSON permissions if you need to lock down the permission to a single Skyhigh CASB IP address for additional security.

For a list of Skyhigh CASB egress device IP addresses, contact Support

Lock down to a single S3 bucket and source IP .

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [ 



            "Resource": [


  • Was this article helpful?