Skip to main content

Netskope Help

Step 2/2: Configure AWS Permissions for Data Protection

Netskope requires permissions to perform certain actions in the AWS account such as creating a stack to receive CloudWatch events. This screen provides a customized CFT with permissions required to set up cross account access between Netskope and your AWS accounts. The permissions defined in the CFT are updated based on the services you've enabled on the Accounts & Services page.

You can review the CFT to understand the various permissions required by Netskope.

Note

Ensure that the AWS accounts have the permissions required to run the Netskope for IaaS services.

To complete the set up you must:

  1. Download the CFT.

  2. Upload the CFT to a new CloudFormation stack in each AWS account.

  3. Confirm that a cross account role with the required permissions is created.

Follow the detailed instructions below to complete the set up.

  1. In the Permissions screen of the New Setup window, click the link to download the CFT.

    multi-accountAWSsetup-1.png
  2. Log in to the AWS Management Console using the credentials of the AWS account you are setting up with Netskope for IaaS and navigate to Services > CloudFormation.

  3. In the CloudFormation page, click Create stack.

    create_stack.png

    To create a stack with new resources, choose With new resources (standard).

    To create a stack with existing resources, choose With existing resources (import resources).

  4. Select Upload a template file and click Choose file to upload the aws-instance-setup.yml. Click Next.

    multi-accountAWSsetup-2.png
  5. In the Specify stack details page, specify a Stack name. Click Next.

    The stack name must:

    • Only contain alphanumeric characters and hyphens,

    • start with an alphabet, and

    • not exceed 128 characters.

  6. In the Configure stack options page, use the default configuration, and click Next.

  7. Review your stack details on the Review page, click the acknowledgment and then click Create stack.

    When the creation process is complete, your stack will be displayed on the CloudFormation page.

    You can click on the stack to view the details about the stack. The Resources tab displays the various components that are part of aws-instance-setup.yml. The Template tab displays the permissions defined in the template.

  8. In the Netskope UI, confirm that a cross account role with permissions is created in each AWS account. Click Add Accounts.

    multi-accountAWSsetup-3.png

    Netskope adds the AWS accounts to the Settings > API-enabled Protection > Cloud Infrastructure page. The page also displays the services that are enabled for each account.

    multi-accountAWSsetup-4.png

    If you run into any errors, see Troubleshooting AWS Storage Scan Instance Setup Error.

What happens in the process?

When DLP Scan or Threat Protection (Malware Scan) is enabled Netskope's aws-instance-setup.yml creates a cross-account role in the AWS accounts which enables the CFT to create,

  • a new CloudFormation stack called NetskopeStack in each region of this account where DLP Scan or Threat Protection (Malware Scan) is enabled.

  • CloudWatch event rules to monitor events in S3 buckets. Netskope creates and monitors the following rules,

    RestoreObject, PutObject, PutObjectAcl, CopyObject, DeleteObject, CreateMultipartUpload, UploadPart, UploadPartCopy, CompleteMultipartUpload.

  • an SNS Topic, Policy, and Subscription to subscribe the AWS accounts to Netskope's endpoint URL. The endpoint is a notification receiver that receives CloudWatch events generated from write, update, and delete operations performed on S3 buckets in your AWS accounts.

    Netskope recommends that you enable server-side encryption on the SNS topic to ensure that the messages published by this topic to Netskope are encrypted. To learn more: Additional configurations for AWS Data Protection.

Netskope requires permissions to monitor and receive events from S3 buckets in your AWS accounts. The cross-account role creates two IAM policies, StorageScanPolicy and CloudFormationPolicy.

StorageScanPolicy is created with the following permissions,

AWS Permissions for StorageScanPolicy

Purpose

s3:ListAllMyBuckets

This implementation of the GET operation returns a list of all buckets owned by the authenticated sender of the request.

s3:ListBucket

Lists a specific bucket

s3:GetObject

This implementation of the GET operation retrieves objects from Amazon S3.

s3:GetObjectAcl

This implementation of the GET operation uses the acl subresource to return the access control list (ACL) of an object.

s3:GetBucketLocation

This implementation of the GET operation uses the location subresource to return a bucket's region.

s3:GetEncryptionConfiguration

This implementation of the GET operation retrieves the bucket encryption to support the serverSideEncryption filter in the policy.

s3:GetBucketPublicAccessBlock

This implementation of the GET operation is used to check whether public access has been blocked for a bucket.

s3:GetBucketAcl

This implementation of the GET operation is used to check whether the bucket ACL grants the bucket public access.

s3:GetBucketPolicyStatus

This implementation of the GET operation is used to check whether the bucket has public access based on bucket policy.

ec2:DescribeRegions

Describes one or more regions that are currently available to you.

CloudFormationPolicy is created with the following permissions,

AWS Permissions for CloudFormationPolicy

Purpose

Resources utilized

cloudformation:DescribeStacks

Returns the description for the specified stack; if no stack name was specified, then it returns the description for all the stacks created.

arn:aws:cloudformation:::stack/NetskopeStack/*

sns:Publish

Sends a message to all endpoints a topic is subscribed to.

arn:aws:sns:::CloudWatchEvent*

sns:Unsubscribe

Deletes a subscription.

arn:aws:sns:::CloudWatchEvent*

sns:Subscribe

Prepares to subscribe an endpoint by sending the endpoint a confirmation message.

arn:aws:sns:::CloudWatchEvent*

sns:ConfirmSubscription

Verifies an endpoint owner's intent to receive messages by validating the token sent to the endpoint by an earlier Subscribe action.

arn:aws:sns:::CloudWatchEvent*

sns:SetTopicAttributes

Allows a topic owner to set an attribute of the topic to a new value.

arn:aws:sns:::CloudWatchEvent*

sns:CreateTopic

Creates a topic to which notifications can be published.

arn:aws:sns:::CloudWatchEvent*

sns:DeleteTopic

Deletes a topic and all its subscriptions.

arn:aws:sns:::CloudWatchEvent*

sns:GetTopicAttributes

Returns all the properties of a topic.

arn:aws:sns:::CloudWatchEvent*

events:DescribeRule

Describes the details of the specified rule.

arn:aws:events:::rule/NetskopeStack*

events:ListRules

Lists the Amazon CloudWatch Events rules.

arn:aws:events:::rule/NetskopeStack*

events:PutEvents

Sends custom events to Amazon CloudWatch Events so that they can be matched to rules.

arn:aws:events:::rule/NetskopeStack*

events:EnableRule

Enables a rule.

arn:aws:events:::rule/NetskopeStack*

events:PutRule

Creates or updates a rule.

arn:aws:events:::rule/NetskopeStack*

events:PutTargets

Adds targets to a rule.

arn:aws:events:::rule/NetskopeStack*

events:RemoveTargets

Removes targets from a rule so that when the rule is triggered, those targets will no longer be invoked.

arn:aws:events:::rule/NetskopeStack*

events:DeleteRule

Deletes a rule.

arn:aws:events:::rule/NetskopeStack*

sns:ListTopics

Returns a list of the requester's topics.

arn:aws:sns:::*

cloudformation:CreateStack

Creates a stack as specified in the template.

arn:aws:cloudformation:::stack/NetskopeStack/*

The following condition applies.

ForAllValues:Null:cloudformation:RoleArn: true

cloudformation:UpdateStack

Updates a stack as specified in the template.

arn:aws:cloudformation:::stack/NetskopeStack/*

The following condition applies.

ForAllValues:Null:cloudformation:RoleArn: true

cloudformation:DeleteStack

Deletes a specified stack.

arn:aws:cloudformation:::stack/NetskopeStack/*

The following condition applies.

ForAllValues:Null:cloudformation:RoleArn: true

Note

The NetskopeStack is managed by Netskope and must not be manually updated.