Integrating Dropbox with AWS SSO for governed file sharing in an AWS Control Tower environment
The customers who operate in multi-account AWS environments often ask me for ways to simplify accessing critical business files and share content with their employees. While my customers share the content between business groups or external business partners, it is important to gain visibility and controls with minimum operational overhead. Dropbox, available in AWS Marketplace, enables you to secure content with global sharing settings and control access through Groups and Team Folders.
In this blog post, I will show you how to simplify granting access to your data securely in multi-account environments. I will show you how to procure and deploy Dropbox from AWS Marketplace. I’ll also show how to integrate Dropbox access with your standard authentication method and how to use Dropbox’s global sharing settings and control access with Groups and Team Folders. Finally, I’ll show how to consolidate user access management by integrating Dropbox with AWS Single Sign On (AWS SSO), which is managed by AWS Control Tower. I’ll also show how to grant access based on the predefined business groups or account(s) created using AWS Control Tower.
The following diagram illustrates two workflows. The A workflow shows how an administrator subscribes to Dropbox Enterprise in AWS Marketplace and integrates Dropbox with AWS SSO. The U workflow shows how a business user authenticates and accesses Dropbox.
Workflow A: Administrator activities
A.1. Authenticate and login to management account using organization’s SSO.
A.2. Access AWS Marketplace and subscribe to Dropbox Enterprise product.
A.3. Integrate AWS SSO with the Dropbox you just subscribed.
A.4. Log in to Dropbox and configure groups, teams, access permissions, and generate usage reports.
Workflow U: Business user activities
U.1. Authenticate using your organization’s SSO permissions.
U.2. Access Dropbox account, add, and share content with allowed group of users.
Solution walkthrough: integrating Dropbox with AWS SSO for governed file sharing in an AWS Control Tower environment
For these common use cases, there are two key roles that use Dropbox differently, a business user and an administrator.
Tam, the Dropbox business user
Tam has been a Dropbox power user for years. She used Dropbox to organize her vacation photos and to share mp3 files related to her hobby as a singer-songwriter. Last year, she was promoted at work and used a small part of her budget to purchase Dropbox Enterprise for her remote teams. Her primary needs are as follows:
- Security A few team members were already using Dropbox independently to share large files between each other and to business partners. While she trusts those team members, she also wants to ensure activity around her company’s intellectual property is auditable.
- Availability Her team needs a central location to organize project files that they can access from anywhere.
- Collaboration Her creatives need a lightweight digital asset management solution to be able to edit podcast content remotely.
Jess, the Dropbox administrator
Jess is a novice Dropbox consumer. She has worked as a network and security engineer for the majority of her career and responsible for securing their multi-account AWS environment. Because of the confidential nature of their business, there are specific rules on what content is allowed to be shared externally and rules on who can share. Several business units at her organization already use Dropbox. Her primary needs are as follows:
- Visibility Jess must know who is sharing content externally across the entire Dropbox instance.
- Permissions She wants to prevent certain users from sharing to unapproved domains.
- Governance She must enforce the use of passwords and expiration dates on content shared via Dropbox links.
Jess uses AWS Control Tower to manage and secure the multi-account environment. She is part of the team that is responsible to grant required permissions to the user community.
Jess’s primary goal is to put guardrails around her organization’s external sharing practices. After installing the Dropbox for Business app from AWS Marketplace, her first step is to integrate with AWS SSO, which her organization standardized for authenticating its users.
A. Integrating Dropbox with AWS SSO
To integrate her Dropbox software with AWS SSO, Jess does the following:
- Log in to AWS account where AWS SSO is configured. In AWS Control Tower environments, it is in the management account. Navigate to AWS SSO console.
- Choose Applications, Add a new application and search for Dropbox.
- Choose Dropbox application and then Add application.
- Note down the AWS SSO sign-in URL, AWS SSO sign-out URL.
- Download the AWS SSO certificate, as she will use this information in her Dropbox account.
- To enable the application on AWS SSO, choose Save changes.
- To complete the integration, Jess logs in to her Dropbox account and follow the instructions in How to enable single sign-on for your team from Dropbox documentation.
B. Assigning Dropbox permissions to a business user
To provide business user Tam access to her Dropbox group, Jess then does the following:
- Navigate to the AWS SSO console.
- Navigate to AWS SSO and then Applications. Then choose Dropbox.
- Choose Assigned users, and then Assigned users again.
- Choose Groups. To choose Assign users, she selects the group that Tam belongs to.
C. Restricting Dropbox access to an approved list of domains
As an admin, Jess must now review and configure the sharing settings. Users are only able to share content to any of their 23 business partners. Here is how to restrict access to an approved list of domains.
- Log in to AWS SSO.
- To log in to the Dropbox account as Administrator, choose Dropbox.
- Choose Admin Console.
- Choose Scroll down and choose Sharing.
- In the Sharing externally section, choose the dropdown and change On (Anyone) to On (Team + approved).
- Add domains into the Approved List then choose Done.
Now, anyone on the domains in the list, including subdomains, is approved for sharing. Jess was careful to note that this setting doesn’t affect existing access. She can generate a report for existing external access later.
By contrast, Tam doesn’t want to restrict sharing to specific domains. For step C.5, she leaves this setting at the default of On (Anyone). Her plan is to use the external sharing report period in case her IT team requests visibility into which domains her users are sharing to.
D. Sharing Dropbox links externally
Jess must ensure shared links can be sent outside her organization so that her team can share to approved domains. She wants to encourage her users to think about who really needs access to the links they are creating, rather than defaulting to giving access to anyone who has the link. To restrict link access only to approved domains, she follows these steps.
- In Admin console, navigate to Settings, Sharing, and switch the toggle to On for Share links outside your team option.
- In the same section, for Default access for shared links, choose Only people invited.
Tam, on the other hand, has a marketing team that uses Dropbox to distribute non-private content widely. Her priority is effective collaboration, so she sets the default to a setting that doesn’t add friction for day-to-day use of Dropbox. To enable anyone with the link to access her Dropbox content, she follows these steps.
- In Admin console, under Settings, Sharing, choose Default access for shared links.
- Select Anyone with link.
E. Sharing files using Dropbox Transfer
Tam’s main concern is to enable her marketing and creative teams to organize and share files externally. Dropbox Transfer enables her team to send snapshots of folders and files in a link that takes visitors to a custom branded page for downloads. These links have their own password and expiration controls. The sender is notified on downloads.
Jess finds it valuable for external sharees to download link content from a page with branding consistent with her organization. She also likes that the snapshot mechanism reduces the amount of data sprawl; users no longer have to create a new folder to load final versions when it’s time to share.
To enable their teams to share files using Dropbox Transfer, Tam and Jess follow these steps.
- In Settings, Sharing, scroll down to section Transfer.
- Toggle Sharing files using Dropbox Transfer to On.
F. Auditing Dropbox activity
Both Jess and Tam need the ability to audit their teams’ activities in Dropbox. They access reports from the Insights page and the Activity Log. Jess particularly likes that she can pull Dropbox user activity from the Activity Log into her security information and event management (SIEM) through the Dropbox API. To do that, she follows these steps.
- In the Admin console left side panel, choose Insights.
- To see who is sharing content outside of the organization and what they’re sharing, choose External sharing reports.
- To see which links have no passwords or expiration dates, choose Link report.
- To see where sensitive information has been shared, choose Security alerts.
- To see what content specific users are sharing are sharing to which domains, choose Domain sharing report.
- To search activity on a specific file, folder, or user, choose the Activity Log.
G. Giving access and assigning content administrator rights to Microsoft Teams folders in Dropbox
Using Dropbox to give access to Microsoft Teams folders
Tam enabled the use of Dropbox Team Folders to help her team organize their files for storage and sharing. Her users found Team Folders similar to using a shared departmental drive. Tam created a folder for marketing and one for creative and used Dropbox Groups to give those teams access to those folders. To do that, she followed these steps.
- Create a group. In the Admin console, choose Groups and then Create group. Alternatively, you can import them from your identity management solution using a connector.
- In the same page, choose Content on the left-side bar.
- Choose Create team folder.
- To grant access to your new Team Folder, enter the group name.
- Grant the group the Edit access.
Assigning content administrator rights to Team Folders in Dropbox
To delegate the responsibility of granting access to content in these Team Folders, Tam gave content admin rights to a member of each team. To do that, she followed these steps.
- In the Admin console, choose Members.
- Choose a user to designate as a content administrator. Choose the gear icon next to their name.
- Choose Add admin role.
- Choose Content – set content permissions and manage content.
- Choose Add.
Jess did not configure Team Folders for her users, as they use shared folders already. However, she is considering doing adding Team Folders at a later date.
In this post, I showed how both an administrator and a business user can set up Dropbox for enterprise use cases. I showed how to integrate Dropbox with AWS SSO in a multi-account environment powered by AWS Control Tower, how to restrict Dropbox access to an approved list of domains, and how to share Dropbox links externally. I also showed how both an administrator and business user can share files using Dropbox Transfer, audit Dropbox activity, use Dropbox to give access to Microsoft Teams folders, and assign content administrator rights to Team Folders in Dropbox.
Learn more about purchase options for Dropbox Business.
To speak with a Dropbox product specialist, email firstname.lastname@example.org.
The content and opinions in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.
About the author
Carlo Garcia, Solutions Architect, Dropbox
Carlo Garcia is a Solutions Architect at Dropbox. He has over 15 years’ experience in collaboration and security software and specializes in helping customers remove friction in their daily work using Dropbox tools, whether they are IT admins or business users. Outside of work, he enjoys camping, deejaying and breakdancing with his 3 children, and volunteering to help build public art spaces in the city of Austin.