Upload a forensic snapshot to an AWS S3 bucket

Follow these instructions to upload a forensic snapshot.

Note This option is currently available for Windows computers only and requires Core Agent 2.5.0 and later.

By default, snapshots are saved on the local computer. You can upload snapshots to an Amazon Web Services (AWS) S3 bucket instead. This lets you access your snapshots easily in a central location, rather than going to each computer.

To upload snapshots you must have an available AWS S3 bucket. You also need to do the following:

  • Create a managed policy in AWS.
  • Add your AWS account to Sophos Central.
  • Create an AWS bucket policy to restrict access to the S3 bucket.

For more information on threat graphs see Threat Graph analysis.

Create a managed policy

To create a managed policy in AWS, do as follows:

  1. In the Amazon Web Services (AWS) dashboard go to IAM listed under Security, Identity and Compliance.
  2. Click Policies on the left side navigation bar.
  3. Click Create Policy.
  4. Click JSON.
  5. Add the following policy: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPutObject",
            "Effect": "Allow",
            "Action": [ 
               "s3:PutObject",
               "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}
    Note You need to replace <bucket-name> with the name of the bucket where your snapshots will be uploaded.
  6. Click Review Policy to check the copied policy is valid.
  7. Name the policy.

    Example: Sophos-Central-Forensic-Snapshot-Upload.

  8. Give a description.

    Example: This policy allows Sophos Central to upload forensic snapshots to a given S3 bucket.

  9. Click Create Policy.

Add an AWS account to Sophos Central

To add your account, do as follows.

  1. In Sophos Central, go to Overview > Global Settings and click Forensic Snapshots.
  2. Turn on Upload forensic snapshot to an AWS S3 bucket.
  3. Make a note of AWS Account ID and AWS External ID.
  4. In Amazon Web Services create the IAM Role by doing the following:
    1. In the Amazon Web Services dashboard go to Identity & Access Management listed under Security & Identity.
    2. Click Roles on the left side navigation bar.
    3. Click Create role.
    4. Click Another AWS account.
    5. Enter the Account ID and External ID provided by Sophos Central.
    6. Turn on Require external ID.
      This is recommended best practice when a third party assumes this role.
    7. Turn off Require MFA.
    8. Click Next: Permissions.
    9. Attach the policy you created earlier, and click Next: Tags.
    10. Leave the optional tags blank and click Next: Review.
    11. Enter a Role name, and optionally a Role description.
    12. Click Create Role and copy the Role ARN (Amazon Resource Name).
  5. You need to wait for this role to propagate to all regions in AWS before you can add the account to Sophos Central. This can take up to five minutes.
  6. In Sophos Central, on the Forensic Snapshots page, do the following:
    1. Enter the S3 bucket name.This must match the bucket name in the managed policy.
    2. Optionally, enter a bucket directory name where you want the snapshots to be uploaded to in the S3 bucket.
    3. Enter the Role ARN created in AWS.
    4. Click Save.

Create a bucket policy

We recommend you create a bucket policy to restrict access to the S3 bucket that you want to upload forensic snapshots to.

To restrict access:

Add the following bucket policy: 
{ 
   "Version":"2012-10-17",
   "Id":"S3PolicyIPRestrict",
   "Statement":[ 
      { 
         "Sid":"IPAllow",
         "Effect":"Allow",
         "Principal":{ 
            "AWS":"*"
         },
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::<bucket-name>",
         "Condition":{ 
            "IpAddress":{ 
               "aws:SourceIp":"192.168.143.0/24"
            }
         }
      },
      { 
         "Sid":"AllowRead",
         "Action":[ 
            "s3:GetObject"
         ],
         "Effect":"Allow",
         "Resource":"arn:aws:s3:::<bucket-name>",
         "Principal":{ 
            "AWS":[ 
               "arn:aws:iam::123456789012:root"
            ]
         }
      }
   ]
}

This policy:

  • Allows only the specified IP addresses to upload snapshots to the bucket. These should be the outward IP addresses of endpoints or firewalls.
  • Allows only authorized people to access the snapshots in the bucket.

Are there any issues that I should be aware of?

  • Uploading to buckets with KMS encryption is not supported but AES-256 encryption is supported. You don't have to enable AES-256 encryption on an S3 bucket, although we recommend it. Sophos uploads snapshots with an AES-256 encryption header.
  • Special characters for bucket names are not supported. For an allowed characters list see Object Key and Metadata.
  • Due to a limitation in AWS, snapshots that take longer than 1 hour to upload will time out, preventing the upload from taking place.This is more likely if you chose a longer period of time for the snapshot to contain.
  • If you have a firewall in your environment, check that your rules allow the upload of snapshots to the AWS S3 bucket.