Additional configurations for AWS Data Protection

Additional configurations for AWS Data Protection

After you set up your AWS accounts for DLP scanning and Threat Protection (Malware Scan), you can perform the following additional configurations to improve your usage experience.

Enable server-side encryption for the SNS Topic

This configuration is optional but recommended. During the instance creation process, Netskope creates an SNS Topic in your AWS account that can publish messages to the Netskope webhook. Since these messages can be sensitive, Netskope recommends enabling server-side encryption on this SNS topic. Server-side encryption must be enabled on all regions of this account where the SNS Topic is created.

There are three parts to this procedure.

Enable Encryption

  1. Copy your existing customer master key (CMK). If you do not have an existing customer master key (CMK), then create a key by following the instructions in the AWS documentation.

    https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html

    Important

    Do not use the default key.

  2. Navigate to Amazon SNS, click on the topics, and edit the SNS topic, CloudWatchEventNskp.
  3. In the edit page, expand Encryption and select Enable encryption.
    enable-sse-for-sns.png
  4. Enter the CMK from step 1 and click Save changes.

Edit KMS Policy

  1. In the AWS KMS Console, find the CMK you used in Enable Encryption and edit the key policy. Add the following policy to allow events.amazonaws.com to have access to the key.
    {            
        "Sid": "Allow_Events_To_Access_CMK",            
        "Effect": "Allow",            
        "Principal": {                
        "Service": "events.amazonaws.com"            
        },            
        "Action": [                
                    "kms:Decrypt",                
                    "kms:GenerateDataKey*"            
                  ],            
        "Resource": "*"           
    }
  2. Click Save changes.

Add a tag to the SNS Topic

  1. Navigate to Amazon SNS, click on the topics, and edit the SNS topic, CloudWatchEventNskp.
  2. In the Tags section, add a new tag and enter a Key and Value. Click Save changes.
    add-tag-to-sns.png
Share this Doc

Additional configurations for AWS Data Protection

Or copy link

In this topic ...