Skip to main content

Script-based Storage Access

Grant Storage Access

Use these steps to grant storage access when you onboarded the AWS account using the script-based method.

  1. In the Xshield portal, open the AWS onboarding flow and download the latest deployment script (the same script used during onboarding).

  2. In your terminal, make sure your AWS CLI credentials are authenticated to the target AWS account.

    aws sts get-caller-identity --profile <AWS_PROFILE>

  3. Run the deployment script again, this time including the --storage-access flag to update the CloudFormation stack and enable S3 read access (used for flow log analysis).

    Optional flags (depending on your onboarding settings and use case):

    --read-write
    --no-deploy-xcloud

    If your downloaded script supports it, you can also target specific storage accounts by providing --storage-ids with a comma-separated list of IDs:

    --storage-ids <ID_1,ID_2,ID_3>
    ./deploy-colortokens-aws-stack.sh \
      --aws-profile <AWS_PROFILE> \
      --target-account <TARGET_AWS_ACCOUNT_ID> \
      --colortokens-account <COLORTOKENS_AWS_ACCOUNT_ID> \
      --xcloud-account <XCLOUD_AWS_ACCOUNT_ID> \
      --region <AWS_REGION> \
      --storage-access

    Example with targeted storage IDs:

    ./deploy-colortokens-aws-stack.sh \
      --aws-profile <AWS_PROFILE> \
      --target-account <TARGET_AWS_ACCOUNT_ID> \
      --colortokens-account <COLORTOKENS_AWS_ACCOUNT_ID> \
      --xcloud-account <XCLOUD_AWS_ACCOUNT_ID> \
      --region <AWS_REGION> \
      --storage-access \
      --storage-ids <ID_1,ID_2>

  4. Wait for the stack update to complete.

  5. In the Xshield portal, re-run Verify / Connect (if available) and confirm storage-related functionality is enabled.

Revoke Storage Access

Use these steps to revoke storage access for an AWS account that was onboarded using the script-based method.

  1. In the Xshield portal, download the latest deployment script again. (This ensures you are using the current template and parameters.)

  2. Run the deployment script again without the --storage-access flag to update the CloudFormation stack and remove storage access permissions.

    ./deploy-colortokens-aws-stack.sh \
      --aws-profile <AWS_PROFILE> \
      --target-account <TARGET_AWS_ACCOUNT_ID> \
      --colortokens-account <COLORTOKENS_AWS_ACCOUNT_ID> \
      --xcloud-account <XCLOUD_AWS_ACCOUNT_ID> \
      --region <AWS_REGION>

  3. Wait for the stack update to complete.

  4. Validate the change:

    • In AWS, optionally use IAM Policy Simulator to confirm S3 read actions are denied (as expected).
    • In the Xshield portal, re-run Verify / Connect (if available).

If you need to revoke access for only a specific bucket (instead of disabling storage access entirely), use Interactive Storage Access or Manual (Console-based) Storage Access.