Netskope Help

Bulk Add AWS accounts to Netskope for CSA

You can simultaneously add multiple AWS accounts in a single region to your Netskope tenant.

To configure your AWS accounts for CSA, in the Netskope UI go to Settings > API-enabled Protection > IaaS. Click Setup and follow the instructions in the following sections.

Note

If you have existing AWS accounts that were configured using the old set up process, you can migrate them using the instructions in Migrate existing AWS accounts to the new set up.

Migrating to the new setup will enable you to automatically add new AWS accounts into Netskope for CSPM.

Step 1/2: Configure AWS Accounts & Services for CSA

On the Accounts & Services screen provide your AWS account number, account name, and admin email address. Then enable the services you want to run on the AWS accounts.

  1. Enter the AWS account number, account name, and admin email address in the text box. You can upload a CSV file with the account information, or enter them individually using the following format:

    123456789012,test,andrew@netskope.com
    764389765412,develop
    345689713654,production,timms@netskope.com
    

    Note

    Account name is required to help you easily identify each account in the Netskope tenant. Email address is optional.

    For information on how to create a CSV file, see Creating a CSV file.

  2. In the Services section, select Security Posture.

    This feature scans the AWS resources for misconfigurations and measures them against compliance benchmarks and best practices such as, CIS, PCI-DSS, NIST, and Netskope's recommended best practices.

    You can view the compliance status of your resources in the Compliance > Security PostureIaaS > Overview, and IaaS > Inventory pages.

After providing the account information and selecting the services, proceed to Step 2/2: Configure AWS Permissions for CSA.

Creating a CSV file

An effortless way to add multiple AWS accounts in the setup screen is to create a CSV file with the account numbers, account names, and email addresses.

You can use Microsoft Excel or Google Sheets to create a CSV file. To get the list of AWS account numbers, account names, and email addresses using the AWS CLI, run the following command:

aws --output=text organizations list-accounts | awk -F'\t' '{printf("%s,%s,%s\n",$4,$7,$3)}'

The output of this command can then be copied to a spreadsheet in Microsoft Excel or Google Sheets and saved as a comma separated CSV, as shown in the screenshot.

excel-to-csv.png

This CSV file can then be uploaded to the setup screen.

Step 2/2: Configure AWS Permissions for CSA

Netskope requires permissions to assume a role and scan your AWS resources. This screen provides a customized CFT with permissions required to set up cross account access between Netskope and your AWS accounts. The permissions defined in the CFT are updated based on the services you've enabled in the Accounts & Services page.

You can review the CFT to understand the various permissions required by Netskope.

Note

Ensure that the AWS accounts have the permissions required to run the Netskope for IaaS services.

To complete the set up you must:

  1. Download the CFT.

  2. Upload the CFT to a new CloudFormation stack in each AWS account.

  3. Confirm that a cross account role with the required permissions is created.

Follow the detailed instructions below to complete the set up.

  1. In the Permissions screen of the New Setup window, click the link to download the CFT.

    multi-accountAWSsetup-1.png
  2. Log in to the AWS Management Console using the credentials of the AWS account you are setting up with Netskope for IaaS and navigate to Services > CloudFormation.

  3. In the CloudFormation page, click Create stack.

    create_stack.png

    To create a stack with new resources, choose With new resources (standard).

    To create a stack with existing resources, choose With existing resources (import resources).

  4. Select Upload a template file and click Choose file to upload the aws-instance-setup.yml. Click Next.

    multi-accountAWSsetup-2.png
  5. In the Specify stack details page, specify a Stack name. Click Next.

    The stack name must:

    • Only contain alphanumeric characters and hyphens,

    • start with an alphabet, and

    • not be longer than 128 characters.

  6. In the Configure stack options page, use the default configuration, and click Next.

  7. Review your stack details on the Review page, click the acknowledgment and then click Create stack.

    When the creation process is complete, your stack will be displayed on the CloudFormation page.

    You can click on the stack to view the details about the stack. The Resources tab displays the various components that are part of aws-instance-setup.yml. The Template tab displays the permissions defined in the template.

  8. In the Netskope UI, confirm that a cross account role with permissions is created in each AWS account. Click Add Accounts.

    multi-accountAWSsetup-3.png

    Netskope adds the AWS accounts to the Settings > API-enabled Protection > Cloud Infrastructure page. The page also displays the services that are enabled for each account.

    multi-accountAWSsetup-4.png
What happens in the process?

Netskope assumes an IAM role which enables Netskope to scan for all the resources in your AWS environment. In this case, the CFT aws-instance-setup.yml requires the following permissions to scan for resources.

AWS Permissions for Security Assessment

Purpose

s3:ListBucket

Lists a specific bucket.

ses:ListIdentityPolicies

Returns a list of sending authorization policies that are attached to the given identity (an email address or a domain).

s3:GetBucketAcl

This implementation of the GET operation uses the acl subresource to return the access control list (ACL) of a bucket.

s3:GetBucketLocation

This implementation of the GET operation uses the location subresource to return a bucket's region.

s3:ListAllMyBuckets

This implementation of the GET operation returns a list of all buckets owned by the authenticated sender of the request.

dynamodb:ListTagsOfResource

Lists all tags on an Amazon DynamoDB resource.

sqs:ListDeadLetterSourceQueues

Returns a list of your queues that have the RedrivePolicy queue attribute configured with a dead letter queue.

sqs:GetQueueUrl

Returns a list of your queues.

sqs:GetQueueAttributes

Gets attributes for the specified queue.

lambda:Get*

Returns the specified alias information such as the alias ARN, description, and function version that the Lambda function is pointing to. Also returns the configuration information of the Lambda function and a presigned URL link.

lambda:List*

Returns list of aliases created for a Lambda function.

Returns a list of your Lambda functions.

Lists all versions of a function.

cloudwatch:GetMetricStatistics

Gets statistics for the specified metric.