Configuring and Scheduling the AWS Permissions Collection

Permissions can be analyzed to determine the application permissions of an out-of-the-box application, provided you have defined an identity store for Data Access Security to use in its analysis, and you have run a crawl for the application.

To configure the permission collector:

1. Go to Admin > Applications.
2. Scroll through the list or use the filter to find the application.
3. Select the Edit icon on the application row.

4. Select Next until you reach the Crawler & Permissions Collection settings page.

   Note

   The entry fields vary by application type.

You have the option to enter Active Directory Group Regex.

Active Directory Group Regex

If matching an Active Directory group to an AWS IAM role is done by the Active Directory group naming convention, enter a regex. This will enable extracting the AWS account ID and name role from the group.

The regex must include these exact named groups in this exact format:

• <rolename>
• <accountid>

Scheduling a Task

To create a schedule:

1. Select Create a Schedule.
2. The system will provide a Schedule Task Name in the format {appName} - {type} Scheduler. Choose to keep or override this suggestion.

3. Select a scheduling frequency from the dropdown list.

   Schedule Frequency Options

   • Run After - Create dependency of tasks. The task starts running only upon successful completion of the first task.
   • Hourly - Set the start time.
   • Daily - Set the start date and time.
   • Weekly - Set the day(s) of the week on which to run.
   • Monthly - Set the day of the month on which to run a task.
   • Quarterly - Set a monthly schedule with an interval of 3 months.
   • Half Yearly - Set a monthly schedule with an interval of 6 months.
   • Yearly - Set a monthly schedule with an interval of 12 months.

4. Fill the Date and Time field with scheduling times. These fields differ depending upon the scheduling frequency selected.

5. Select the Active checkbox to activate the schedule.
6. Select Next.

Configuring and Scheduling the Crawler

To set or edit the Crawler configuration and scheduling:

1. Go to Admin > Applications.
2. Scroll through the list or use the filter to find the application.
3. Select the Edit icon on the application row.

4. Select Next until you reach the Crawler & Permissions Collection settings page.

   Note

   The entry fields vary by application type.

5. In the Calculate Resource Size field, determine when, or at what frequency, Data Access Security calculates the resources' size:

   • Never
   • Always
   • Second crawl and on (default)

6. Schedule a task.

7. Set the Crawl Scope by:
   • Setting an explicit list of resources to include or exclude from the scan.
   • Creating a regex to define resources to exclude.

Including and Excluding Paths by List

To set the paths to include or exclude in the crawl process for an application:

1. Go to Admin > Applications.
2. Scroll through the list or use the filter to find the application.
3. Select the Edit icon on the application row.

4. Select Next until you reach the Crawler & Permissions Collection settings page.

   Note

   The entry fields vary by application type.

5. Scroll down to the Crawl configuration settings.

6. Select Advanced Crawl Scope Configuration to open the scope configuration panel.
7. Select Include / Exclude Resources to open the input fields.
8. To add a resource to a list, enter the full path to include or exclude in the top field and select + to add it to the list.
9. To remove a resource from a list, find the resource from the list, and select the x icon on the resource row.

Note

When creating exclusion lists, excludes take precedence over includes.

Excluding Paths by Regex

To set filters of paths to exclude in the crawl process for an application using regex:

1. Go to Admin > Applications.
2. Scroll through the list or use the filter to find the application.
3. Select the Edit icon on the application row.

4. Select Next until you reach the Crawler & Permissions Collection settings page.

   Note

   The entry fields vary by application type.

5. Select Exclude Paths by Regex to open the configuration panel.

6. Enter the paths to exclude by regex. Since the system does not collect Business Resources that match this regex, it also does not analyze them for permissions.

Crawler Regex Exclusion Examples

The following are examples of crawler Regex exclusions:

Exclude all bucket folders which start with one or more folder names:

Example: All Starting with folderName under path

Regex: ^Root\/[account_name]\(#[AccountID]\)\/s3.[region].[bucket_name]\/folder_name

Real Example:

Path: Root/my-account(#1234567890)/s3.ap-south-1.bucket1/myFolder

Regex: ^Root\/my-account\(#1234567890\)\/s3.ap-south-1.bucket1\/myFolder

Example: All starting with folderName of otherFolderName under path

Regex: ^Root\/[account_name]\(#[AccountID]\)\/s3.[region].[bucket_name]\/(folderName|otherFolderName)

Include ONLY bucket folders that start with one or more folder names

Example: Starting with folderName under path

Regex: ^(?!Root($|\/[account_name]\(#[AccountID]\)($|\/s3.[region].[bucket_name]($|\/folder_name($|/.*))))).*

Real Example:

Path: Root/DAS_Test(#1234567890)/s3.us-west-1.service/logs/logs_01

Path: Root/DAS_Test(#1234567890)/s3.us-west-1.service/logs/logs_02

Path: Root/DAS_Test(#1234567890)/s3.us-west-1.service/logs/logs_03

Regex: ^(?!Root\/DAS_Test($|\(#1234567890\)($|\/s3.us-west-1.service($|\/logs($|/.*))))).*

Example: Starting with folderName of otherFolderName under path

Regex: ^(?!Root($|\/[account_name]\(#[AccountID]\)($|\/s3.[region].[bucket_name]($|\/folder_Name|other_Folder_Name)($|/.*))))).*

Excluding Top-Level Resources

Use the top-level exclusion screen to select top-level roots to exclude from the crawl. This setting is done per application.

To exclude top level resources from the crawl process:

1. Go to Admin > Applications.
2. Find the application to configure and select the dropdown list on the application line. Select Exclude Top Level Resources to open the configuration panel.

3. Run the task.

   The Run Task button triggers a task that runs a short detection scan to detect the current top level resources.

Before running the task for the first time, the message above this button reads, "Note: Run task to detect the top-level resources"

If the top level resource list has changed in the application while you are on this screen, press this button to retrieve the updated structure.

Once triggered, you can see the task status in Settings > Task Management > Tasks. This will only work if the user has access to the task page.

When the task has completed, select Refresh to update the page with the list of top level resources.

1. Select the top level resource list and choose the top level resources to exclude.
2. Select Save to save the change.
3. To refresh the list of top level resources, run the task again. Running the task will not clear the list of top level resources to exclude.

Comments