Upload forensic snapshots to an AWS S3 bucket
You can upload forensic snapshots only from Windows devices. You must also have an XDR or MDR license.
By default, snapshots are saved on the local computer. You can upload snapshots to an Amazon Web Services (AWS) S3 bucket instead. This lets you access your snapshots easily in a single location, rather than going to each device.
To upload snapshots, you must have an available AWS S3 bucket. You also need to do the following:
- Create a managed policy in AWS.
- Add your AWS account to Sophos Central.
- (Optional) Create an AWS bucket policy to restrict access to the S3 bucket.
- (Optional) Create an AWS bucket lifecycle policy to clear up data you no longer need.
-
Forensic Log Collection
If you set up uploads to an AWS S3 bucket here, our new Forensic Log Collection feature uses the same settings to upload logs.
Forensic Log Collection is currently only available via our Sophos Central API. See https://developer.sophos.com/docs/endpoint-v1/1/overview.
Create a managed policy
To create a managed policy in AWS, do as follows:
- In the Amazon Web Services (AWS) dashboard, under Security, Identity and Compliance, go to IAM.
- In the left menu, click Policies.
- Click Create Policy.
- Select the JSON tab.
-
Add the policy document shown below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::<bucketName>", "arn:aws:s3:::<bucketName>/*" ] } ] }
Note
Replace <bucketName> with the name of the bucket where your snapshots will be uploaded.
-
Click Review Policy to check the copied policy is valid.
-
Name the policy.
Example: "Sophos-Central-Forensic-Snapshot-Upload".
-
Give a description.
Example: "This policy allows Sophos Central to upload forensic snapshots to a given S3 bucket."
-
Click Create Policy.
Add the AWS account to Sophos Central
To add your account, do as follows.
- In Sophos Central, go to My Products > General Settings > Forensic Snapshots.
- Turn on Upload forensic snapshot to an AWS S3 bucket.
- Make a note of AWS Account ID and AWS External ID.
-
In Amazon Web Services, create the IAM Role by doing the following:
- In the AWS Management Console, under Security & Identity, go to Identity & Access Management.
- In the left menu, click Roles.
- Click Create role.
- Under Trusted entity type, select Custom trust policy.
-
Add the policy document shown below:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountId>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<externalId>" } } } ] }
Note
Replace <accountId> and <externalId> with the Account ID and External ID that you noted earlier.
-
Click Next to go to the Permissions page.
- Attach the policy you created earlier, for example "Sophos-Central-Forensic-Data-Upload".
-
(Optional) We strongly recommend that you expand Set permissions boundary and click Use a permissions boundary to control the maximum role permissions.
- Attach the policy created earlier, for example, "Sophos-Central-Forensic-Data-Upload".
-
Enter a Role name.
- Optional. Enter a Role description.
- Click Create Role.
- Now view this role and copy its Role ARN (Amazon Resource Name).
Wait for this role to propagate to all regions in AWS before you add the account to Sophos Central. This can take up to five minutes.
-
In Sophos Central, on the Forensic Snapshots page, do the following:
- Enter the S3 bucket name. This must match the bucket name in the managed policy.
- (Optional) Enter the name of the directory in the S3 bucket where you want the snapshots to be uploaded.
- Enter the Role ARN created in AWS earlier.
- Click Save.
Create a bucket policy
We strongly recommend that you create a bucket policy to restrict access to the S3 bucket. An example policy is shown below.
Add the following bucket policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Principal":"*",
"Action":"S3.*",
"Resource":[
"arn:aws:s3:::<bucketName>*",
"arn:aws:s3:::<bucketName>/*"
],
"Condition":{
"StringNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<customerAccountId>:root",
"arn:aws:iam::<customerAccountId>:role/<iamRoleName>"
]
}
}
}
]
}
Replace the placeholders as follows:
- <bucketName>: The name of the bucket the forensic data will be uploaded to.
- <customerAccountId>: Your AWS account ID. You can find it on the AWS Console by clicking your username in the upper right.
- <iamRoleName>: The name of the IAM Role created in the previous section.
This policy allows only the following users to upload to the bucket or access the data in it:
- The owner of the account.
- Any account with permissions set by the IAM Role created earlier (which can only be Sophos).
Create a bucket lifecycle policy
We strongly recommend that you set a lifecycle policy for your S3 bucket. This policy avoids incurring unwanted additional costs.
When forensic data files are large, the Sophos endpoint automatically uploads the data in parts. If there's an outage outside our control, multipart uploads might be interrupted, which could cause the bucket to have incomplete data. AWS could charge you for storing this incomplete data. To avoid this, create a lifecycle policy on the bucket that cleans up incomplete uploads.
To create a lifecycle policy, do as follows:
- Sign in to the AWS Management Console.
- Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
- In the Buckets list, select the bucket the forensic data will be uploaded to.
- Select the Management tab, and select Create lifecycle rule.
- In Lifecycle rule name, enter a name for your rule, for example "Delete incomplete multipart uploads".
- Select This rule applies to all objects in the bucket.
- Under Lifecycle rule actions, select Delete expired object delete markers or incomplete multipart uploads.
- Under Delete expired object delete markers or incomplete multipart uploads, select Delete incomplete multipart uploads.
- In Number of days, enter 7 days.
- Click Create rule.
Known issues
- Uploading to buckets with KMS encryption isn't supported, but AES-256 encryption is supported. You don't have to turn on AES-256 encryption on an S3 bucket, but we recommend it. We upload snapshots with an AES-256 encryption header.
- Special characters for bucket names aren't supported. For an allowed characters list, see Working with object metadata.
- If you have a firewall in your environment, make sure that your rules allow the upload of snapshots to the AWS S3 bucket. This advice applies to Sophos Firewall as well as other firewalls.