Skip to main content

Netskope Help

Enabling Forensics for Amazon Web Services S3

Important

  • Ensure the S3 bucket chosen as forensic destination does not have dots in the name. For more information, please refer to AWS S3 Bucket Naming Rules.

  • Before you configure an S3 bucket as a forensic destination, ensure that the bucket does not have a policy with “s3:x-amz-content-sha256”: “UNSIGNED-PAYLOAD” condition key configured. For existing S3 buckets configured as forensic destination, remove this condition key or create a new S3 bucket without a bucket policy having this condition key. For additional information on “s3:x-amz-content-sha256”: “UNSIGNED-PAYLOAD” condition key, see Amazon S3 Signature Version 4 Authentication Specific Policy Keys.

    It is important to note that the S3 bucket must not have this policy condition key as long as it is used as a forensic destination.

To configure your AWS S3 buckets as a forensic destination,

  1. Make a list of AWS accounts you want to configure for Forensic. The list must include account numbers and account names. Optionally, you can also include email addresses associated with the account.

    Note

    Netskope recommends using the same account name as the AWS account alias. If an account alias is not available for the AWS account, then provide an account name for the AWS account.

    You can use AWS CLI to generate the list of AWS accounts as a CSV file. To learn more, see "Creating a CSV file" in Step 1/2: Configure AWS Accounts & Services for Forensic.

  2. In the Netskope UI go to Settings > API-enabled Protection > IaaS. Click Setup.

  3. Follow the instructions in the following sections.

Note

If you have existing AWS accounts that were configured using the old set up process, you can migrate them using the instructions in Migrating existing AWS accounts to the new set up.

Migrating to the new setup will enable you to automatically add new AWS accounts into Netskope.