Additional configurations for AWS Data Protection
After you set up your AWS accounts for DLP scanning and Threat Protection (Malware Scan), you can perform the following additional configurations to improve your usage experience.
Enable server-side encryption for the SNS Topic
This configuration is optional but recommended. During the instance creation process, Netskope creates an SNS Topic in your AWS account that can publish messages to the Netskope webhook. Since these messages can be sensitive, Netskope recommends enabling server-side encryption on this SNS topic. Server-side encryption must be enabled on all regions of this account where the SNS Topic is created.
There are three parts to this procedure.
Enable Encryption
Copy your existing customer master key (CMK). If you do not have an existing customer master key (CMK), then create a key by following the instructions in the AWS documentation.
https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html
Important
Do not use the default key.
Navigate to Amazon SNS, click on the topics, and edit the SNS topic,
CloudWatchEventNskp.In the edit page, expand Encryption and select Enable encryption.
Enter the CMK from step 1 and click Save changes.
Edit KMS Policy
In the AWS KMS Console, find the CMK you used in Enable Encryption and edit the key policy. Add the following policy to allow
events.amazonaws.comto have access to the key.{ "Sid": "Allow_Events_To_Access_CMK", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" }Click Save changes.
Add a tag to the SNS Topic
Navigate to Amazon SNS, click on the topics, and edit the SNS topic,
CloudWatchEventNskp.In the Tags section, add a new tag and enter a Key and Value. Click Save changes.
