Netskope Help

Configure Amazon Web Services for Continuous Security Assessment

Netskope Public Cloud Security enables you to simultaneously configure multiple AWS accounts in a single region for Continuous Security Assessment (CSA).

The set up uses a Cloud Formation Template (CFT), aws-instance-setup.yml that is customized with permissions required for Netskope for IaaS to assume an IAM role. The IAM role enables Netskope to scan for all the resources in your AWS environment and continuously assess your public cloud deployments to mitigate risk, detect threats, scan and protect sensitive data, and monitor for regulatory compliance.

To learn more, see "What happens in the process?" section in Step 2/2: Configure AWS Permissions for CSA.

You can view detailed information about all the events and scan results under API-enabled Protection > Compliance > Security Posture.


Before you begin the setup process, ensure that you make a list of AWS account numbers with their account names and admin email addresses you want to configure for CSA. Email address is optional.

An account name will help you easily identify the AWS account in the Netskope tenant.


Netskope recommends using the same account name as the AWS account alias. If an account alias is not available for the AWS account, then provide an account name for the AWS account.

To learn more about creating a list of AWS account numbers, see "Creating a CSV file" in Step 1/2: Configure AWS Accounts & Services for CSA.

Additionally, ensure that you have access to the following AWS services.

  • AWS Lambda

  • Amazon CloudWatch

  • AWS CloudFormation