FAQs to setup UEBA for AWS
The following topic covers frequently asked questions and common scenarios when setting up the CloudTrail feature for AWS.
Setting up or modifying an AWS Instance with CloudTrail and Data Protection enabled
The following sections cover various scenarios for setting up or modifying an AWS instance that has CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features enabled.
Onboarding a new AWS instance with CloudTrail and Data Protection enabled
When you onboard a new AWS instance with both CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.
The following table covers different onboarding scenarios and provides additional steps required to set up CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) on a new AWS instance. Perform these steps after you've setup UEBA for AWS.
New instance setup | What to do after setup? |
|---|---|
| Edit the trail, NetskopeCloudTrailStack... created by the CloudTrail feature and enable Data Events for all buckets. |
|
|
In this scenario, there are no buckets in common between CloudTrail and Data Protection features. |
|
Editing an existing AWS instance to enable CloudTrail
When you onboard an AWS instance with DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates a stack called NetskopeStack. After the instance is created, you must create a new cloud trail in all the regions of the AWS account.
Later, when you want to edit this instance to enable the CloudTrail feature, the new CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.
The following table covers different editing scenarios and provides additional steps required to edit instances that have CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features enabled.
Existing instance | Edit scenarios | What to do? |
|---|---|---|
Scanning enabled for all buckets | To enable logging for all buckets |
|
Scanning enabled for specific buckets | To enable logging for all buckets |
|
Scanning enabled for specific buckets | To enable logging for specific buckets | In this case, there are no buckets in common between CloudTrail and Data Protection features.
|
Disable CloudTrail from an existing AWS instance with Data Protection enabled
When you onboard an AWS instance with DLP Scan and /or Threat Protection (Malware Scan) features only, the CFT aws-instance-setup.yml creates a stack called NetskopeStack. After the instance is created, you must create a new cloud trail in all the regions of the AWS account. Later, when you want to edit this instance to enable the CloudTrail feature, the new CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.
When you onboard an AWS instance with both CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates only one stack, NetskopeCloudTrailStack and a trail with a similar name.
The following table covers different scenarios to disable CloudTrail from an existing AWS instance while keeping DLP Scan and /or Threat Protection (Malware Scan) enabled.
Existing instance | What to do to disable CloudTrail only? |
|---|---|
| Choose one of the following based on how this instance was onboarded.
|
| Choose one of the following based on how this instance was onboarded.
|
In this scenario, there are no buckets in common between CloudTrail and Data Protection features. | Keep the NetskopeStack stack and the trail you created for the Data Protection features. Delete the NetskopeCloudTrailStack stack. |
In this scenario, there are common buckets between CloudTrail and Data Protection features. | Keep the NetskopeStack stack and the trail you created for the Data Protection features. Delete the NetskopeCloudTrailStack stack. |