Netskope Help

Configure Amazon Web Services S3 for DLP Scanning and Threat Protection

Netskope Public Cloud Security enables you to simultaneously configure multiple AWS accounts in a single region for Storage Scan, which includes DLP Scan and Threat Protection (Malware Scan). Netskope performs DLP scans on your S3 buckets based on the DLP policies you have configured. A DLP scan is performed only if you have configured a DLP policy. If your Netskope tenant has Threat Protection enabled, then Netskope performs Malware scans on your S3 buckets.

Netskope scans S3 buckets for DLP violations and malware with improved efficiency using CloudWatch events.

The set up uses a Cloud Formation Template (CFT), aws-instance-setup.yml that is customized with permissions required for Netskope for IaaS to create an IAM cross-account role. The role provides Netskope access to create a CloudWatch event stack called NetskopeStack in all regions of every AWS account added to the Netskope tenant. This stack subscribes the AWS accounts to Netskope's notification receiver to receive CloudWatch events generated from write, update, and delete operations performed on S3 buckets in your AWS accounts.

To learn more, see "What happens in the process?" section in Step 2/2: Configure AWS Permissions for Storage Scanning.


IaaS Storage Scan (DLP and Threat Protection) feature does not support quarantine and legal hold functionalities. If you have configured a DLP or Malware quarantine profile with an external storage provider such as OneDrive, the file would be copied to that location. However, the file would not be removed from its original location in the public cloud storage, AWS S3.


Before you begin the setup process, ensure that: