Enabling Data Protection for AWS S3
You can simultaneously add multiple AWS accounts in a single region to your Netskope tenant.
To configure your AWS accounts for Data Protection,
Make a list of AWS accounts you want to configure for DLP Scan and Threat Protection (Malware Scan). The list must include account numbers and account names. Optionally, you can also include email addresses associated with the account.
Note
Netskope recommends using the same account name as the AWS account alias. If an account alias is not available for the AWS account, then provide an account name for the AWS account.
You can use AWS CLI to generate the list of AWS accounts as a CSV file. To learn more, see "Creating a CSV file" in Step 1/2: Configure AWS Accounts & Services for Data Protection.
Ensure that the CloudWatch service is running on your AWS accounts. Data Protection feature requires CloudWatch service to receive notifications.
Netskope listens to the following CloudWatch events.
CREATE_BUCKET
DELETE_BUCKET
RESTORE_OBJECT
PUT_OBJECT
PUT_OBJECT_ACL
COPY_OBJECT
DELETE_OBJECT
CREATE_MULTIPART_UPLOAD
UPLOAD_PART, UPLOAD_PART_COPY
COMPLETE_MULTIPART_UPLOAD
To learn more about setting up CloudWatch, see the AWS documentation on CloudWatch.
In the Netskope UI go to Settings > API-enabled Protection > IaaS. Click Setup.
Follow the instructions in the following sections.
Note
If you have existing AWS accounts that were configured using the old set up process, you can migrate them using the instructions in Migrating existing AWS accounts to the new set up.
Migrating to the new setup will enable you to automatically add new AWS accounts into Netskope.
After you complete the setup, enable object-level logging for S3 buckets to ensure that there are no delays in receiving event notifications. To learn more, see the following AWS documentation links.