Upload a forensic snapshot to an AWS S3 bucket
Follow these instructions to upload a forensic snapshot.
Introduction
By default, snapshots are saved on the local computer. You can upload snapshots to an Amazon Web Services (AWS) S3 bucket instead. This lets you access your snapshots easily in a central location, rather than going to each computer.
To upload snapshots you must have an available AWS S3 bucket. You also need to do the following:
- Create a managed policy in AWS.
- Add your AWS account to Sophos Central.
- Create an AWS bucket policy to restrict access to the S3 bucket.
Create a managed policy
Follow these instructions to create a managed policy in AWS.
To create a managed policy:
Add an AWS account to Sophos Central
Follow these intructions to add your Amazon Web Services (AWS) account to Sophos Central.
To add your account:
- In Sophos Central, go to Global Settings and click Forensic Snapshots.
- Turn on Upload forensic snapshot to an AWS S3 bucket.
- Make a note of AWS Account ID and AWS External ID.
-
In Amazon Web Services create the IAM Role by doing the following:
- You need to wait for this role to propagate to all regions in AWS before you can add the account to Sophos Central. This can take up to five minutes.
-
In Sophos Central, on the Forensic Snapshots page, do the
following:
- Enter the S3 bucket name.This must match the bucket name in the managed policy.
- Optionally, enter a bucket directory name where you want the snapshots to be uploaded to in the S3 bucket.
- Enter the Role ARN created in AWS.
- Click Save.
Create a bucket policy
We recommend you create a bucket policy to restrict access to the S3 bucket that you want to upload forensic snapshots to.
To restrict access:
{
"Version":"2012-10-17",
"Id":"S3PolicyIPRestrict",
"Statement":[
{
"Sid":"IPAllow",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::<bucket-name>",
"Condition":{
"IpAddress":{
"aws:SourceIp":"192.168.143.0/24"
}
}
},
{
"Sid":"AllowRead",
"Action":[
"s3:GetObject"
],
"Effect":"Allow",
"Resource":"arn:aws:s3:::<bucket-name>",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:root"
]
}
}
]
}
This policy:
- Allows only the specified IP addresses to upload snapshots to the bucket. These should be the outward IP addresses of endpoints or firewalls.
- Allows only authorized people to access the snapshots in the bucket.
Are there any issues that I should be aware of?
- Uploading to buckets with KMS encryption is not supported but AES-256 encryption is supported. You don't have to enable AES-256 encryption on an S3 bucket, although we recommend it. Sophos uploads snapshots with an AES-256 encryption header.
- Special characters for bucket names are not supported. For an allowed characters list see Object Key and Metadata.
- Due to a limitation in AWS, snapshots that take longer than 1 hour to upload will time out, preventing the upload from taking place.This is more likely if you chose a longer period of time for the snapshot to contain.
- If you have a firewall in your environment, check that your rules allow the upload of snapshots to the AWS S3 bucket.