[CASB] CDS UI updates + AWS CDE (#18162)

Co-authored-by: Jun Lee <[email protected]>
Co-authored-by: Claire Waters <[email protected]>

public/_redirects

@@ -1790,6 +1790,7 @@
 /cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301
 /cloudflare-one/connections/connect-networks/deployment-guides/* /cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/:splat 301
 /cloudflare-one/analytics/logs/* /cloudflare-one/insights/logs/:splat 301
+/cloudflare-one/applications/scan-apps/* /cloudflare-one/applications/casb/:splat 301
 /cloudflare-one/connections/connect-apps/use_cases/* /cloudflare-one/connections/connect-networks/use-cases/:splat 301
 /cloudflare-one/connections/connect-apps/* /cloudflare-one/connections/connect-networks/:splat 301
 /cloudflare-one/connections/connect-devices/warp/exclude-traffic/* /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/:splat 301

src/content/changelogs/casb.yaml

@@ -1,7 +1,7 @@
 ---
 link: "/cloudflare-one/changelog/casb/"
 productName: CASB
-productLink: "/cloudflare-one/applications/scan-apps/"
+productLink: "/cloudflare-one/applications/casb/"
 productArea: Cloudflare One
 productAreaLink: /cloudflare-one/changelog/
 entries:
@@ -12,7 +12,7 @@ entries:
   - publish_date: "2024-05-23"
     title: Data-at-rest DLP for Box and Dropbox
     description: |-
-      You can now scan your [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/scan-apps/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches.
+      You can now scan your [Box](/cloudflare-one/applications/casb/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches.
   - publish_date: "2024-04-16"
     title: Export CASB findings to CSV
     description: |-

src/content/changelogs/dlp.yaml

@@ -20,7 +20,7 @@ entries:
   - publish_date: "2024-05-23"
     title: Data-at-rest DLP for Box and Dropbox
     description: |-
-      You can now scan your [Box](/cloudflare-one/applications/scan-apps/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/scan-apps/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches.
+      You can now scan your [Box](/cloudflare-one/applications/casb/casb-integrations/box/#data-loss-prevention-optional) and [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/#data-loss-prevention-optional) files for DLP matches.
   - publish_date: "2024-04-16"
     title: Optical character recognition
     description: |-

src/content/docs/cloudflare-one/applications/scan-apps/casb-dlp.mdx → src/content/docs/cloudflare-one/applications/casb/casb-dlp.mdx

@@ -3,21 +3,15 @@ pcx_content_type: concept
 title: Scan for sensitive data
 sidebar:
   order: 3
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 :::note
-
-
 Requires Cloudflare CASB and Cloudflare DLP.
-
-
 :::
 
-You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to discover if files stored in your SaaS application contain sensitive data.
-To perform DLP scans in a SaaS app, first configure a DLP profile with the data patterns you want to detect, then enable those profiles in a CASB integration.
+You can use [Cloudflare Data Loss Prevention (DLP)](/cloudflare-one/policies/data-loss-prevention/) to discover if files stored in a SaaS application contains sensitive data. To perform DLP scans in a SaaS app, first configure a [DLP profile](#configure-a-dlp-profile) with the data patterns you want to detect, then [add the profile](#enable-dlp-scans-in-casb) to a CASB integration.
 
 ## Supported integrations
 
@@ -61,17 +55,17 @@ CASB will scan every publicly accessible file in the integration for text that m
 
 If you enable a DLP profile from the **Manage integrations** page, CASB will only scan publicly accessible files that have had a modification event since enabling the DLP profile. Modification events include changes to the following attributes:
 
-* Contents of the file
-* Name of the file
-* Visibility of the file (only if changed to publicly accessible)
-* Owner of the file
-* Location of the file (for example, moved to a different folder)
+- Contents of the file
+- Name of the file
+- Visibility of the file (only if changed to publicly accessible)
+- Owner of the file
+- Location of the file (for example, moved to a different folder)
 
 In order to scan historical data, you must enable the DLP profile during the [integration setup flow](#add-a-new-integration).
 
 ## Limitations
 
-DLP will only scan:
+DLP in CASB will only scan:
 
-* [Text-based files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported.
-* Files ≤ 100 MB.
+- [Text-based files](/cloudflare-one/policies/data-loss-prevention/#supported-file-types) such as documents, spreadsheets, and PDFs. Images are not supported.
+- Files less than or equal 100 MB in size.

src/content/docs/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3.mdx → src/content/docs/cloudflare-one/applications/casb/casb-integrations/aws-s3.mdx

@@ -11,10 +11,6 @@ import { Render } from "~/components";
 	params={{ one: "Amazon Web Services (AWS) S3", two: "AWS account" }}
 />
 
-:::note
-The CASB integration for AWS S3 only supports posture-related findings.
-:::
-
 ## Integration prerequisites
 
 - An AWS account using AWS S3 (Simple Storage Service)
@@ -30,6 +26,41 @@ For the AWS S3 integration to function, Cloudflare CASB requires the following a
 
 These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to the [AWS S3 Permissions documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html).
 
+## Compute account
+
+You can connect an AWS compute account to your CASB integration to perform [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/) scans within your S3 bucket and avoid data egress. CASB will scan any objects that exist in the bucket at the time of configuration.
+
+### Add a compute account
+
+To connect a compute account to your AWS integration:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your AWS integration.
+3. Select **Open connection instructions**.
+4. Follow the instructions provided to connect a new compute account.
+5. Select **Refresh**.
+
+You can only connect one computer account to an integration. To remove a compute account, select **Manage compute accounts**.
+
+### Configure compute account scanning
+
+Once your AWS compute account has successfully connected to your CASB integration, you can configure where and how to scan for sensitive data:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Integrations**.
+2. Find and select your AWS integration.
+3. Select **Create new configuration**.
+4. In **Resources**, choose the buckets you want to scan. Select **Continue**.
+5. Choose the file types, sampling percentage, and [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/) to scan for.
+6. (Optional) Configure additional settings, such as the limit of API calls over time for CASB to adhere to.
+7. Select **Continue**.
+8. Review the details of the scan, then select **Start scan**.
+
+CASB will take up to an hour to begin scanning. To view the scan results, go to **CASB** > **Content** > **Cloud**.
+
+To manage your resources, go to **CASB** > **Integrations**, then find and select your AWS integration. From here, you can pause all or individual scans, add or remove resources, and change scan settings.
+
+For more information, refer to [Content findings](/cloudflare-one/applications/casb/manage-findings/#content-findings).
+
 ## Security findings
 
 <Render

src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx

@@ -0,0 +1,29 @@
+---
+pcx_content_type: navigation
+title: Available integrations
+sidebar:
+  order: 3
+---
+
+You can integrate the following SaaS applications and cloud environments with Cloudflare CASB:
+
+- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/casb/casb-integrations/aws-s3/)
+- [Atlassian Confluence](/cloudflare-one/applications/casb/casb-integrations/atlassian-confluence/)
+- [Atlassian Jira](/cloudflare-one/applications/casb/casb-integrations/atlassian-jira/)
+- [Bitbucket Cloud](/cloudflare-one/applications/casb/casb-integrations/bitbucket-cloud/)
+- [Box](/cloudflare-one/applications/casb/casb-integrations/box/)
+- [Dropbox](/cloudflare-one/applications/casb/casb-integrations/dropbox/)
+- [GitHub](/cloudflare-one/applications/casb/casb-integrations/github/)
+- [Google Workspace](/cloudflare-one/applications/casb/casb-integrations/google-workspace/)
+  - [Google Drive](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-drive/)
+  - [Gmail](/cloudflare-one/applications/casb/casb-integrations/google-workspace/gmail/)
+  - [Google Admin](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-admin/)
+  - [Google Calendar](/cloudflare-one/applications/casb/casb-integrations/google-workspace/google-calendar/)
+- [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/)
+  - [Admin Center](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/admin-center/)
+  - [OneDrive](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/onedrive/)
+  - [SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/)
+  - [Outlook](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook/)
+- [Salesforce](/cloudflare-one/applications/casb/casb-integrations/salesforce/)
+- [ServiceNow](/cloudflare-one/applications/casb/casb-integrations/servicenow/)
+- [Slack](/cloudflare-one/applications/casb/casb-integrations/slack/)

src/content/docs/cloudflare-one/applications/casb/index.mdx

@@ -0,0 +1,20 @@
+---
+pcx_content_type: how-to
+title: Cloud Access Security Broker
+sidebar:
+  order: 3
+---
+
+import { GlossaryTooltip, Render } from "~/components";
+
+:::note[Availability]
+Available for all Zero Trust users.
+
+Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of a finding instance.
+:::
+
+Cloudflare's API-driven Cloud Access Security Broker (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, <GlossaryTooltip term="shadow IT" link="https://www.cloudflare.com/learning/access-management/what-is-shadow-it/">shadow IT</GlossaryTooltip>, and other data security issues that can occur after a user has successfully logged in.
+
+## Manage CASB integrations
+
+<Render file="casb/manage-integrations" />

src/content/docs/cloudflare-one/applications/casb/manage-findings.mdx

@@ -0,0 +1,145 @@
+---
+pcx_content_type: how-to
+title: Manage findings
+sidebar:
+  order: 1
+head:
+  - tag: title
+    content: Manage security findings
+---
+
+import { TabItem, Tabs, Details } from "~/components";
+
+Findings are security issues detected within SaaS and cloud applications that involve users, data at rest, and other configuration settings. With Cloudflare CASB, you can review a comprehensive list of findings in Zero Trust and immediately start taking action on the issues found.
+
+## Prerequisites
+
+- You have [added](/cloudflare-one/applications/casb/#add-an-integration) a CASB integration.
+- Your scan has surfaced at least one security finding.
+
+## Posture findings
+
+Posture findings include misconfigurations, unauthorized user activity, and other data security issues.
+
+To view details about the posture findings that CASB found:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**.
+2. Choose **SaaS** or **Cloud**.
+3. To view details about a finding, select the finding's name
+
+CASB will display details about your posture finding, including the finding type, [severity level](#severity-levels), number of instances, associated integration, current status, and date detected. For more information on each instance of the finding, select **Manage**.
+
+To manage the finding's visibility, you can update the finding's [severity level](#severity-levels) or [hide the finding](#hide-findings) from view. Additionally, some findings provide a remediation guide to resolve the issue or support [creating a Gateway HTTP policy](#resolve-finding-with-a-gateway-policy) to block the traffic.
+
+### Severity levels
+
+Cloudflare CASB labels each finding with one of the following severity levels:
+
+| Severity level | Urgency                                                                      |
+| -------------- | ---------------------------------------------------------------------------- |
+| Critical       | Suggests the finding is something your team should act on today.             |
+| High           | Suggests the finding is something your team should act on this week.         |
+| Medium         | Suggests the finding should be reviewed sometime this month.                 |
+| Low            | Suggests the finding is informational or part of a scheduled review process. |
+
+#### Change the severity level
+
+You can change the severity level for a finding at any time in case the default assignment does not suit your environment:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**.
+2. Locate the finding you want to modify and select **Manage**.
+3. In the severity level drop-down menu, choose your desired setting (_Critical_, _High_, _Medium_, or _Low_).
+
+The new severity level will only apply to the posture finding within this specific integration. If you added multiple integrations of the same application, the other integrations will not be impacted by this change.
+
+## Content findings
+
+Content findings include instances of potential data exposure as identified by [DLP](/cloudflare-one/policies/data-loss-prevention/).
+
+To view details about the content findings that CASB found:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**.
+2. Choose **SaaS** or **Cloud**.
+3. To view details about a finding, select the finding's name.
+
+CASB will display details about your content finding, including the file name, a link to the file, matching DLP profiles, associated integration, and date detected.
+
+AWS users can configure a [compute account](/cloudflare-one/applications/casb/casb-integrations/aws-s3/#compute-account) to scan for data security resources within their S3 resources.
+
+## View shared files
+
+File findings for some integrations (such as [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/#file-sharing) and [Box](/cloudflare-one/applications/casb/casb-integrations/box/#file-sharing)) may link to an inaccessible file. To access the actual shared file:
+
+<Tabs> <TabItem label="Posture finding">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**.
+2. Choose **SaaS** or **Cloud**.
+3. Locate the individual finding, then select **Manage**.
+4. In **Active Instances**, select the file name.
+5. In **Shared Links**, select the linked file instance.
+
+</TabItem>
+
+<TabItem label="Content finding">
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Content**.
+2. Choose **SaaS** or **Cloud**.
+3. Select the file name of the detected asset.
+4. In **Sharing details**, select the linked file instance.
+
+</TabItem> </Tabs>
+
+## Hide findings
+
+After reviewing your findings, you may decide that certain posture findings are not applicable to your organization. Cloudflare CASB allows you to remove findings or individual instances of findings from your list of active issues. CASB will continue to scan for these issues, but any detections will appear in a separate tab.
+
+### Hide a finding
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**.
+2. Locate the active finding you want to hide.
+3. In the three-dot menu, select **Move to ignore**.
+
+The finding's status will change from **Active** to **Ignored**. CASB will continue to scan for these findings and report detections. You can change ignored findings back to **Active** with the same process at any time.
+
+### Hide an instance of a finding
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture**.
+2. Choose the active finding you want to hide, then select **Manage**.
+3. In **Active**, find the instance you want to hide.
+4. In the three-dot menu, select **Move to hidden**.
+
+The instance will be moved from **Active** to **Hidden** within the finding. If the finding occurs again for the same user, CASB will report the new instance in the **Hidden** tab. You can move hidden instances back to the **Active** tab at any time.
+
+## Resolve finding with a Gateway policy
+
+Using the security findings from CASB allows for fine-grained Gateway policies which prevent future unwanted behavior while still allowing usage that aligns to your organization's security policy. This means going from viewing a CASB finding, like the use of an unapproved application, to preventing or controlling access in minutes.
+
+CASB supports creating a Gateway policy with findings from the [Google Workspace integration](/cloudflare-one/applications/casb/casb-integrations/google-workspace/):
+
+<Details header="Supported CASB findings for Gateway policies">
+
+- Google Workspace: File publicly accessible with edit access
+- Google Workspace: File publicly accessible with view access
+- Google Workspace: File shared outside company with edit access
+- Google Workspace: File shared outside company with view access
+
+</Details>
+
+:::note[Before you begin]
+Ensure that you have [enabled HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) for your organization.
+:::
+
+To create a Gateway policy directly from a CASB finding:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com), go to **CASB** > **Posture** or **CASB** > **Content**.
+2. Choose **SaaS** or **Cloud**.
+3. Choose the finding you want to modify, then select **Manage**.
+4. Find the instance you want to block and select its three-dot menu.
+5. Select **Block with Gateway HTTP policy**. A new browser tab will open with a pre-filled HTTP policy.
+   :::note
+   Not all CASB findings will have the **Block with Gateway HTTP policy** option. Unsupported findings can only be resolved from your application dashboard or through your domain provider.
+   :::
+6. (Optional) [Configure the HTTP policy](/cloudflare-one/policies/gateway/http-policies/). For example, if the policy blocks an unsanctioned third-party app, you can apply the policy to some or all users, or only block uploads or downloads.
+7. Select **Save**.
+
+Your HTTP policy will now prevent future instances of the security finding.

src/content/docs/cloudflare-one/applications/casb/troubleshooting.mdx

@@ -0,0 +1,38 @@
+---
+pcx_content_type: troubleshooting
+title: Troubleshoot integrations
+sidebar:
+  order: 3
+---
+
+import { TabItem, Tabs } from "~/components";
+
+Cloudflare CASB detects when integrations are unhealthy or outdated.
+
+Common integration issues include changes to SaaS app or cloud environment configurations, user access, or permission scope. Integrations may need to be updated to support new features or permissions.
+
+## Identify unhealthy or outdated integrations
+
+To identify unhealthy CASB integrations, go to **CASB** > **Integrations**. If an integration is unhealthy, CASB will set its status to **Broken**. If an integration is outdated, CASB will set its status to **Upgrade**.
+
+## Repair an unhealthy integration
+
+:::note[Repair limitation]
+If CASB does not support self-service repairs for an integration, you will need to [delete](/cloudflare-one/applications/casb/#delete-an-integration) and recreate the integration to continue scanning.
+:::
+
+You can repair unhealthy CASB integrations through your list of integrations or findings.
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**.
+2. Choose your unhealthy integration.
+3. Select **Reauthorize**.
+4. In your SaaS app or cloud environment, reauthorize your account.
+
+## Upgrade an integration
+
+Upgrading an outdated integration will allow the integration to access new features and permissions.
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **CASB** > **Integrations**.
+2. Choose your outdated integration.
+3. Select **Upgrade integration**.
+4. In your SaaS app or cloud environment, upgrade your app and reauthorize your account.