Improvements for the S3 Bucket option available for the File Shadows Repository

What is a one sentence summary of your feature request?

Enable secure, modern, region-flexible support for AWS S3 as a File Shadows Repository by allowing selection of any AWS region under Indirect Artifact Retrieval and implementing improved, access mechanisms that replace static IAM user keys for both agent uploads and administrator retrieval.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

The current implementation of the S3 Bucket option for the File Shadows Repository in Endpoint Protector (EPP) provides the performance and scalability benefits of storing file shadows outside the database. However, two significant limitations prevent organizations, especially those with stringent security, compliance, or multi-regional infrastructure requirements, from fully adopting this capability:

1. AWS Region Limitation for Indirect Artifact Retrieval
   Under Indirect Artifact Retrieval (the recommended and most secure method for retrieving file shadows through the EPP Server), administrators cannot freely select from the full list of AWS regions (AWS Regions - AWS Regions and Availability Zones). This is problematic for global organizations who need to store data in specific regions for:

• Compliance requirements (e.g., GDPR, APAC, LATAM residency rules)
• Latency optimization
• Internal cloud governance policies

2. Security Limitations of Using Static IAM User Credentials
   At present, EPP requires IAM User access keys for bucket access and the same credentials for both agent uploads and Admin/Analyst downloads.
   This creates multiple issues:

• Static IAM credentials are no longer considered secure and violate many Zero Trust and least-privilege standards.
• Using one set of credentials for both upload and download expands the attack surface.
• IAM Users with long-lived access keys are discouraged by AWS best practices, which instead recommend:
  > IAM roles
  > Temporary credentials
  > Fine-grained access control policies
  > Bucket-level access boundaries
  > AWS STS (Security Token Service) for short-lived tokens
  > Presigned URLs for restricted, time-bound download access

Modern enterprises, especially those undergoing cloud security hardening, cannot onboard solutions that require static IAM access keys for ongoing operations.

How do you currently solve the challenges you have by not having this feature?

Because these capabilities are not available today, EPP administrators face substantial operational and compliance challenges, and several workarounds are required:

• Relying on the very limited set of AWS regions supported by the current EPP implementation, sometimes forcing file shadows to be stored outside the required jurisdiction.
• Creating IAM Users with long-lived access keys, even though this contradicts internal security requirements and external auditors’ recommendations.
• Attempting to rotate IAM keys manually, which is error-prone.
• Restricting or disabling File Shadowing entirely for certain departments or regions because storing shadows in the database impacts performance.
• Avoiding the S3 repository option despite its performance benefits due to its insufficient security posture.

These are not sustainable long-term solutions and prevent customers from adopting the full capabilities of Endpoint Protector.

Hi Oana,

Thank you for registering the feature request!
We will review this and get back to you with a response soon.

Kind Regards,
Simona

Hi Oana,

After internal review, we are happy to let you know that this feature improvement is already planned on our side and will be delivered in an upcoming release. Rest assured – your detailed feedback provided here will be taken into consideration.

Delivery timeline will be updated as soon as it’s scheduled. At the very moment, we don’t have any exact ETA.

Thank you,
Simona

Great to hear! A very useful improvement for clients that use AWS private hosted EPP!