Netskope Help

Configure Amazon Web Services

More than 90% of Netskope customers use IaaS services like Amazon Web Services (AWS) and the number is increasing. This adoption comes with a shared responsibility model for cloud security, where customers are responsible for securing data stored in AWS. Due to the dynamic nature of AWS, organizations struggle to continuously monitor their environments for misconfigurations and vulnerabilities, leaving them without a clear and accurate view into their security posture. In addition, as more workloads move to AWS, the risk of sensitive data loss and threats like malware and ransomware persist. Netskope allows enterprises to safely enable Amazon Web Services with 360° data protection, advanced threat protection, continuous security assessment, and real-time controls, all delivered from a cloud-native platform that secures SaaS, Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).

With Netskope’s integration with CloudWatch, you can see granular details about administrator activity across the organization and drill down to see if there are multiple instances configured, a specific user/administrator, an object, or a specific activity, and more. Additionally, Netskope differentiates between instances such as production, versus a development sandbox, versus a test instance so admins can set varying security policies and access controls. Netskope provides a complete audit trail of IAM, EC2, S3, Lambda, Route 53 and other AWS services so that security professionals can monitor and track all activities and changes to resources as well as place contextual controls for security and access.

Policies can be applied to real-time activities, such as uploads to and downloads from S3 buckets. Select which S3 buckets in any region and have those files scanned for DLP violations. Block certain users from downloading or uploading sensitive files stored in S3.

AWS environments are dynamic and need to be continuously monitored for misconfigurations and vulnerabilities. With Netskope, you can get a clear picture of your cloud security posture and see how the environment is performing against standards and best practices like CIS (Center for Internet Security) benchmarks.

To configure Amazon Web Services (AWS) for CloudTrail (audit reports), S3 bucket (API Data Protection), and Security Assessment, you need to grant permissions for Netskope to provide visibility into your AWS CloudTrail web service and S3 buckets. Recorded information includes user, time, source IP, and the request and response parameters of the API call for all CloudTrail, CloudWatch, KMS, IAM, EC2 and S3 services.

There are two configuration options for this procedure. Based on your requirement, you can select the appropriate configuration options.

  • Configure AWS for Continuous Security Assessment

  • Configure AWS S3 for Storage Scanning - This includes DLP Scanning and Threat Protection.


    Netskope now supports DLP scanning on Snowflake as a service that runs on top of AWS S3. For more information, refer the respective third-party documentation of Snowflake and AWS.

Supported AWS regions

Continuous Security Assessment (CSA) and Storage Scanning configurations are supported on all the default regions of AWS. For a complete list of AWS regions that are enabled by default, refer to AWS documentation. Netskope CSA and Storage Scan can also function in manually enabled regions such as Hong Kong (ap-east-01) and Bahrain (me-south-1).