Skip to main content

Manual (Console-based) Storage Access

Use these steps to manually grant or revoke Xshield access to specific Amazon S3 buckets by updating the IAM permissions on the AWS cross-account role used by the AWS Cloud Connector. Before you begin, complete the AWS manual onboarding and confirm the cross-account role (for example, ColorTokensCrossAccountAccessRole) exists in your AWS account.

Grant Storage Access

Use these steps when you want to restrict Xshield storage access to one (or a small set of) S3 buckets by explicitly setting the bucket ARN(s) in the IAM policy.

  1. Open the AWS Console and go to IAMRoles.

  2. Open the cross-account role you created for Xshield (for example, ColorTokensCrossAccountAccessRole).

  3. Go to the Permissions tab.

  4. Edit the inline policy that contains the S3 permissions (in the manual onboarding guide this is the statement that includes s3:ListBucket).

    • If you used an inline policy: click the policy name → Edit.
    • If you used a managed policy: open the policy → Edit policy.

  5. In the S3 statement, replace the wildcard resource ("Resource": "*") with the ARN of your bucket and the ARN of objects in that bucket.

    • Bucket ARN format:

      arn:aws:s3:::YOUR_BUCKET_NAME

    • Object ARN format:

      arn:aws:s3:::YOUR_BUCKET_NAME/*

  6. Update the S3 statement to use bucket-scoped resources. Example (replace YOUR_BUCKET_NAME):

    {
      "Sid": "ColorTokensS3FullReadAccess",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation",
        "s3:GetBucketAcl",
        "s3:GetBucketPolicy",
        "s3:GetBucketVersioning",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetBucketNotification",
        "s3:GetBucketTagging",
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME",
        "arn:aws:s3:::YOUR_BUCKET_NAME/*"
      ]
    }

  7. If you want to allow access to multiple buckets, add additional bucket and object ARNs to the Resource array (one pair per bucket).

  8. Save the policy.

  9. Validate the change:

    • In the Xshield portal, re-run Verify / Connect for the AWS Cloud Connector (if available).
    • In AWS, you can optionally use IAM Policy Simulator for the role to confirm s3:ListBucket and s3:GetObject are allowed only for the bucket(s) you listed.

Revoke Storage Access

Use these steps to remove previously granted bucket-scoped S3 access.

  1. Open the AWS Console and go to IAMRoles.

  2. Open the Xshield cross-account role (for example, ColorTokensCrossAccountAccessRole).

  3. Go to the Permissions tab and open the policy that contains the S3 permissions.

  4. Remove the bucket ARN(s) from the S3 statement Resource list.

    • To revoke access for a single bucket, remove both:
      • arn:aws:s3:::YOUR_BUCKET_NAME
      • arn:aws:s3:::YOUR_BUCKET_NAME/*
    • To revoke all S3 storage access, remove the entire S3 statement (the one that includes s3:ListBucket / s3:GetObject) or remove all bucket/object ARNs from its Resource list.

  5. Save the policy.

  6. Validate the change:

    • Optionally use IAM Policy Simulator to confirm s3:ListBucket / s3:GetObject are denied for the revoked bucket(s).
    • In the Xshield portal, re-run Verify / Connect (if available) and confirm expected behavior.