Govern multi-cloud sources with Azure Purview

Published Oct 27 2021 09:00 AM 2,802 Views
Microsoft

Do you store your organizational data in multiple clouds? Azure Purview offers a unified solution to discover and govern your organizational data residing across different clouds. You can now explore your data and discover sensitive data across your data estate, including both Azure storage services and Amazon S3 buckets, in one centralized place.

 

Main benefits:

  • Govern your data centrally—the Azure Purview Data Catalog and Data Insights reports display the scanning results of both Azure storage services and Amazon S3.
  • Consistent classification across clouds—Discovery of sensitive data across clouds is based on the same M365 sensitive information types. Your sensitive data stored in either Azure or AWS services will be classified in the exact same way.
  • Simple and easy configuration—Scanning data in a remote cloud is a fully managed service. The configuration is very easy, and you don’t need to deploy and maintain any agent or perform complex configurations in your AWS environment.

 

The Azure Purview roadmap includes additions for even more non-Azure storage services and aims to strengthen Azure Purview’s multi-cloud capabilities, empowering data administrators to maximize the value of their data with a single view across clouds.

 

Scanning data in a remote cloud

Azure Purview uses unique technology to classify data in AWS, including an easy setup and configuration process while complying with the highest Microsoft standards for data privacy:

  • The Azure Purview scanner is deployed in a Microsoft account in AWS.
  • Scans are initiated by a simple configuration in Azure Purview. Likewise, Azure storage scans are initiated and do not require manual service deployments or maintenance.
  • Service access to the organization’s S3 buckets is granted by a dedicated role in AWS.

OdedBergman_0-1635233901238.png

 

 

The Purview scanning setup ensures full data privacy by classifying Amazon S3 data locally in AWS. The classification service uses full data isolation and does not store any data in the Microsoft account in AWS. Only the classification results and metadata are sent to the Azure Purview data map, where it is displayed for administrators together with the classification results from Azure services.

 

Now, let’s get started:

  1. Configure Amazon S3 in Azure Purview

In a process similar to how to add Azure data sources in Purview, you first need to register the Amazon S3 bucket as a Purview data source, and then initiate your scan.

Registration

You can either register one Amazon S3 bucket for scanning a single bucket or register an AWS account for scanning all or selected S3 buckets in the account.

 

OdedBergman_1-1635233901243.png

 


Scanning

When setting up the scan of an Amazon S3 bucket or an AWS account, you need to provide the Purview scanner credentials to access the organization’s S3 buckets. To grant this access, you first need to create a role in AWS Identity and Access Management. This role requires read-only access to the S3 buckets you wish to scan. If the buckets are KMS-encrypted, a decrypt permission is needed as well.

To keep your buckets secure and ensure this new role can only be used for your Purview scanning, use these configurations when creating the role:  

  • Microsoft account ID­ - to allow accessing the buckets from a Microsoft-account only
  • External ID - a unique identifier for your Purview account used for accessing the bucket for an additional layer of security

You get both the Microsoft account ID and the external ID values when you create a Purview credential object. You’ll need to copy-paste them into the AWS Identity and Access Management role creation screens:

 

OdedBergman_2-1635233901245.png

 

 

Once the role is created in AWS, copy the role ARN value from AWS and paste it in the Purview credential object in the Purview portal. Then use the credential object to initiate a scan on your Amazon S3 bucket or AWS account.

  1. Let your data consumers discover your Amazon S3 data, along with Azure data, in the Azure Purview Data Catalog

OdedBergman_3-1635233901246.png

 

 

 

OdedBergman_4-1635233901248.png

 

 

  1. Get granular insights into sensitive data across multi-cloud sources

In the Azure Purview Data Insights reports, see a unified view of all scanned data, including Amazon S3.

 

OdedBergman_5-1635233901249.png

 

 

Get started today!

  • Quickly and easily create an Azure Preview account to try the generally available features.
  • Read documentation on how to use the Amazon S3 multi-cloud scanning connector for Azure Purview.

  

%3CLINGO-SUB%20id%3D%22lingo-sub-2884914%22%20slang%3D%22en-US%22%3EGovern%20multi-cloud%20sources%20with%20Azure%20Purview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2884914%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20store%20your%20organizational%20data%20in%20multiple%20clouds%3F%20Azure%20Purview%20offers%20a%20unified%20solution%20to%20discover%20and%20govern%20your%20organizational%20data%20residing%20across%20different%20clouds.%20You%20can%20now%20explore%20your%20data%20and%20discover%20sensitive%20data%20across%20your%20data%20estate%2C%20including%20both%20Azure%20storage%20services%20and%20Amazon%20S3%20buckets%2C%20in%20one%20centralized%20place.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMain%20benefits%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EGovern%20your%20data%20centrally%3C%2FSTRONG%3E%E2%80%94the%20Azure%20Purview%20Data%20Catalog%20and%20Data%20Insights%20reports%20display%20the%20scanning%20results%20of%20both%20Azure%20storage%20services%20and%20Amazon%20S3.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EConsistent%20classification%20across%20clouds%3C%2FSTRONG%3E%E2%80%94Discovery%20of%20sensitive%20data%20across%20clouds%20is%20based%20on%20the%20same%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fcompliance%2Fsensitive-information-type-learn-about%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EM365%20sensitive%20information%20types%3C%2FA%3E.%20Your%20sensitive%20data%20stored%20in%20either%20Azure%20or%20AWS%20services%20will%20be%20classified%20in%20the%20exact%20same%20way.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ESimple%20and%20easy%20configuration%3C%2FSTRONG%3E%E2%80%94Scanning%20data%20in%20a%20remote%20cloud%20is%20a%20fully%20managed%20service.%20The%20configuration%20is%20very%20easy%2C%20and%20you%20don%E2%80%99t%20need%20to%20deploy%20and%20maintain%20any%20agent%20or%20perform%20complex%20configurations%20in%20your%20AWS%20environment.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Azure%20Purview%20roadmap%20includes%20additions%20for%20even%20more%20non-Azure%20storage%20services%20and%20aims%20to%20strengthen%20Azure%20Purview%E2%80%99s%20multi-cloud%20capabilities%2C%20empowering%20data%20administrators%20to%20maximize%20the%20value%20of%20their%20data%20with%20a%20single%20view%20across%20clouds.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EScanning%20data%20in%20a%20remote%20cloud%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20Purview%20uses%20unique%20technology%20to%20classify%20data%20in%20AWS%2C%20including%20an%20easy%20setup%20and%20configuration%20process%20while%20complying%20with%20the%20highest%20Microsoft%20standards%20for%20data%20privacy%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThe%20Azure%20Purview%20scanner%20is%20deployed%20in%20a%20Microsoft%20account%20in%20AWS.%3C%2FLI%3E%0A%3CLI%3EScans%20are%20initiated%20by%20a%20simple%20configuration%20in%20Azure%20Purview.%20Likewise%2C%20Azure%20storage%20scans%20are%20initiated%20and%20do%20not%20require%20manual%20service%20deployments%20or%20maintenance.%3C%2FLI%3E%0A%3CLI%3EService%20access%20to%20the%20organization%E2%80%99s%20S3%20buckets%20is%20granted%20by%20a%20dedicated%20role%20in%20AWS.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_0-1635233901238.png%22%20style%3D%22width%3A%20690px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319930iBE0B11AA70D3D0C4%2Fimage-dimensions%2F690x246%3Fv%3Dv2%22%20width%3D%22690%22%20height%3D%22246%22%20role%3D%22button%22%20title%3D%22OdedBergman_0-1635233901238.png%22%20alt%3D%22OdedBergman_0-1635233901238.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Purview%20scanning%20setup%20ensures%20full%20data%20privacy%20by%20classifying%20Amazon%20S3%20data%20locally%20in%20AWS.%20The%20classification%20service%20uses%20full%20data%20isolation%20and%20does%20not%20store%20any%20data%20in%20the%20Microsoft%20account%20in%20AWS.%20Only%20the%20classification%20results%20and%20metadata%20are%20sent%20to%20the%20Azure%20Purview%20data%20map%2C%20where%20it%20is%20displayed%20for%20administrators%20together%20with%20the%20classification%20results%20from%20Azure%20services.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20let%E2%80%99s%20get%20started%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSTRONG%3EConfigure%20Amazon%20S3%20in%20Azure%20Purview%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIn%20a%20process%20similar%20to%20how%20to%20add%20Azure%20data%20sources%20in%20Purview%2C%20you%20first%20need%20to%20register%20the%20Amazon%20S3%20bucket%20as%20a%20Purview%20data%20source%2C%20and%20then%20initiate%20your%20scan.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERegistration%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20either%20register%20one%20Amazon%20S3%20bucket%20for%20scanning%20a%20single%20bucket%20or%20register%20an%20AWS%20account%20for%20scanning%20all%20or%20selected%20S3%20buckets%20in%20the%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_1-1635233901243.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319931i8713F63DD075FADF%2Fimage-dimensions%2F475x404%3Fv%3Dv2%22%20width%3D%22475%22%20height%3D%22404%22%20role%3D%22button%22%20title%3D%22OdedBergman_1-1635233901243.png%22%20alt%3D%22OdedBergman_1-1635233901243.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3E%3CBR%20%2F%3E%3C%2FU%3E%3C%2FSTRONG%3E%3CSTRONG%3EScanning%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20setting%20up%20the%20scan%20of%20an%20Amazon%20S3%20bucket%20or%20an%20AWS%20account%2C%20you%20need%20to%20provide%20the%20Purview%20scanner%20credentials%20to%20access%20the%20organization%E2%80%99s%20S3%20buckets.%20To%20grant%20this%20access%2C%20you%20first%20need%20to%20create%20a%20role%20in%20AWS%20Identity%20and%20Access%20Management.%20This%20role%20requires%20read-only%20access%20to%20the%20S3%20buckets%20you%20wish%20to%20scan.%20If%20the%20buckets%20are%20KMS-encrypted%2C%20a%20decrypt%20permission%20is%20needed%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3ETo%20keep%20your%20buckets%20secure%20and%20ensure%20this%20new%20role%20can%20only%20be%20used%20for%20your%20Purview%20scanning%2C%20use%20these%20configurations%20when%20creating%20the%20role%3A%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMicrosoft%20account%20ID%3C%2FSTRONG%3E%C2%AD%20-%20to%20allow%20accessing%20the%20buckets%20from%20a%20Microsoft-account%20only%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EExternal%20ID%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E-%26nbsp%3Ba%20unique%20identifier%20for%20your%20Purview%20account%20used%20for%20accessing%20the%20bucket%20for%20an%20additional%20layer%20of%20security%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20get%20both%20the%20Microsoft%20account%20ID%20and%20the%20external%20ID%20values%20when%20you%20create%20a%20Purview%26nbsp%3Bcredential%26nbsp%3Bobject.%20You%E2%80%99ll%20need%20to%20copy-paste%20them%20into%20the%20AWS%20Identity%20and%20Access%20Management%20role%20creation%20screens%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_2-1635233901245.png%22%20style%3D%22width%3A%20479px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319932iD608D938C3643CBA%2Fimage-dimensions%2F479x388%3Fv%3Dv2%22%20width%3D%22479%22%20height%3D%22388%22%20role%3D%22button%22%20title%3D%22OdedBergman_2-1635233901245.png%22%20alt%3D%22OdedBergman_2-1635233901245.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20role%20is%20created%20in%20AWS%2C%20copy%20the%20role%20ARN%20value%20from%20AWS%20and%20paste%20it%20in%20the%20Purview%20credential%20object%20in%20the%20Purview%20portal.%20Then%20use%20the%20credential%20object%20to%20initiate%20a%20scan%20on%20your%20Amazon%20S3%20bucket%20or%20AWS%20account.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3E%3CSTRONG%3ELet%20your%20data%20consumers%20discover%20your%20Amazon%20S3%20data%2C%20along%20with%20Azure%20data%2C%20in%20the%20Azure%20Purview%20Data%20Catalog%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_3-1635233901246.png%22%20style%3D%22width%3A%20524px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319935iEA7AEE6157E34E0E%2Fimage-dimensions%2F524x406%3Fv%3Dv2%22%20width%3D%22524%22%20height%3D%22406%22%20role%3D%22button%22%20title%3D%22OdedBergman_3-1635233901246.png%22%20alt%3D%22OdedBergman_3-1635233901246.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_4-1635233901248.png%22%20style%3D%22width%3A%20527px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319934iD4BDECF232A983C8%2Fimage-dimensions%2F527x307%3Fv%3Dv2%22%20width%3D%22527%22%20height%3D%22307%22%20role%3D%22button%22%20title%3D%22OdedBergman_4-1635233901248.png%22%20alt%3D%22OdedBergman_4-1635233901248.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3E%3CSTRONG%3EGet%20granular%20insights%20into%20sensitive%20data%20across%20multi-cloud%20sources%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIn%20the%20Azure%20Purview%20Data%20Insights%20reports%2C%20see%20a%20unified%20view%20of%20all%20scanned%20data%2C%20including%20Amazon%20S3.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22OdedBergman_5-1635233901249.png%22%20style%3D%22width%3A%20572px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F319933iD18B1CC8EF1857AD%2Fimage-dimensions%2F572x312%3Fv%3Dv2%22%20width%3D%22572%22%20height%3D%22312%22%20role%3D%22button%22%20title%3D%22OdedBergman_5-1635233901249.png%22%20alt%3D%22OdedBergman_5-1635233901249.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGet%20started%20today!%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EQuickly%20and%20easily%20create%20an%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fpurview%2F%23get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Preview%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eaccount%20to%20try%20the%20generally%20available%20features.%3C%2FLI%3E%0A%3CLI%3ERead%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpurview%2Fregister-scan-amazon-s3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eon%20how%20to%20use%20the%20Amazon%20S3%20multi-cloud%20scanning%20connector%20for%20Azure%20Purview.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2884914%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EUnified%20solution%20allows%20for%20exploration%20of%20data%20and%20discovery%20of%20sensitive%20data%20in%20one%20centralized%20place%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2884914%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Purview%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edata%20catalog%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Governance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Apr 21 2022 11:24 AM
Updated by: