Netskope Help

Appendix
Lower Privilege for Sub-Account Role that Trusts Master Account

If you do not intend to configure the sub-account role that trusts the master account with AdministratorAccess policy, the role can be configured with a policy equivalent to the following:

{
    "Version": "2012-10-17",
    "Statement":
    [
        {
            "Action":
            [
                “s3:*",
                "cloudtrail:*",
                "sns:*",
                "iam:*",
                "cloudformation:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}