Enable the S3 File Browser
tip
For full instructions showing how to protect S3 buckets with Cyral, see Track an S3 storage location.
The Cyral S3 File Browser lets data users read from and write to S3 buckets. Data users launch the S3 File Browser from the Cyral Access Portal.
Overview
To make the S3 File Browser available, you must configure the following:
- Deploy your sidecar with a DNS CNAME and TLS certificate. These are required when using S3 Browser.
- Provide AWS permissions for the Cyral S3 Browser
- Track the S3 location as a repository in Cyral and bind the Cyral sidecar to it. Make sure you set the S3 browser port.
- Choose the Access Gateway for your S3 repository. See Enable the Cyral Access Portal for a repository.
Deploy sidecar for use with S3 Browser
note
For instructions on how to configure the parameters of a Cyral Template to work with the S3 Browser, check the Cyral Quickstart guide for the specific deployment option of your choice.
Prerequisites
In order to support the Cyral S3 Browser, the sidecar must meet the following requirements. Ideally you will configure these when you deploy the sidecar, but you can also add them later.
A custom DNS CNAME that you provide. This is the address your data users will use to connect to data locations protected by the sidecar. Cyral recommends configuring this at sidecar deployment time, but you can also configure it later. See Add a CNAME or A record for the sidecar for setup steps.
A valid TLS certificate covering the sidecar's custom DNS CNAME. The certificate must be present in AWS Certificate Manager (CM). You can directly issue the certificate using AWS Certificate Manager, or you can manually import a valid certificate to the AWS CM. See the Cyral documentation about TLS with AWS Certificate Manager
note
The DNS CNAME and TLS certificate are only required for sidecars that will support the Cyral S3 browser. To give users Cyral-protected access without the Cyral S3 Browser, have them connect via another S3 client such as a CLI tool.
Examples of how to configure CNAME and TLS at deployment time
The examples below assume the following:
- The TLS certificate was previously created. AWS Documentation:
- Issuing and managing certificates - AWS Certificate Manager
- Requesting a public certificate - AWS Certificate Manager
- AWS Route 53 is configured and allow the user to create new domain names (CNAME). AWS Documentation:
See also the Cyral simplified documentation for Snowflake which can be used for S3 as well: Integration Guide: Protecting Snowflake with Cyral + G Suite
Example of how to configure CNAME and TLS after sidecar deployment
CNAME
Add a CNAME or A record for the sidecar (Cyral Docs)
TLS
A certificate needs to be attached to the load balancer in order
to support TLS connectivity for S3 support. In Terraform and
CloudFormation, this can be achieved by providing a certificate
ARN to the template parameters load_balancer_certificate_arn and
LoadBalancerCertificateArn respectively.
For Helm-deployed sidecars, you may need to manually modify the load balancer and enable TLS support for the desired sidecar port. For an AWS load balancer, use the instructions to Update a listener for your Network Load Balancer, changing the protocol to TLS and assigning the appropriate SSL certificate from ACM (AWS Certificate Manager) to the listeners that corresponds to the S3 ports.
AWS permissions for the Cyral S3 Browser
The Cyral S3 Browser, by default, tries to list all buckets associated with a given IAM role. In order for this operation to succeed, the IAM role should have an IAM policy allowing it to list buckets.
For example, let's look at the two IAM roles below:
<account-id>:role/S3RoleWithAccessToFinances
<account-id>:role/S3CustomRole
These should have the AWS List Bucket permission. This allows the user
to list the buckets (this is the entry point for browsing) in the S3 Browser.
If the IAM role does not have the permission to List Buckets, users
will receive an error message when opening the S3 Browser.
In this case, users can still access a specific location by explicitly
adding its bucket name in the S3 Browser URL.
For example, if the user wants to access the bucket: finance-data-company,
then she can type the following URL to connect to it:
https://<management-console-endpoint>.cyral.com/app/s3Browser/finance-data-company
Permission to list all buckets
The AWS permission to list all buckets are:
ListAllMyBucketsandGetBucketLocation
For more information, see the AWS documentation on S3 bucket access.
Next steps
- Track the S3 buckets that you want to protect.
- To add SSO for S3 users, see SSO for S3
- If you've finished your set-up, users can connect to S3 as shown here: