Netskope Help

Configure AWS CloudTrail for Audit Reports

Adding the Netskope app to your AWS account has these requirements:

  • Create or have access to an existing S3 bucket, SNS topic, and CouldTrail service.

  • Create a role for Netskope to grant permissions.

To configure AWS CloudTrail for Netskope:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and navigate to Settings > API Data Protection > Cloud Infrastructure.

  2. Select the AWS icon, and then click Setup.

    The New Setup window opens.

  3. Under Follow these instructions before proceeding:, note the Netskope Account ID and Netskope External ID. You need to enter these into the AWS console in steps 11-12.

  4. Log in to the AWS console.

  5. In the AWS Management Console, navigate to Services > Management & Governance and click CloudTrail.

  6. In the left navigation bar, click Trails, and then click Create trail (or select an existing trail).

  7. For a new trail, enter these parameters:

    • Trail name: Enter a unique name.

    • Apply trail to all regions: Yes

    • Management events > Read/Write events: All

    • Data events: Keep the setting unchanged.

    • Create a new S3 bucket: Yes

      Note

      You can use an existing S3 bucket as an option.

    • S3 bucket: New S3 bucket where you would like your logs delivered. CloudTrail creates the bucket and applies the appropriate policy.

    • Click Advanced

      • (Optional) Encrypt log files with SSE-KMS: Yes

        This step is optional. You can keep the default setting to No. However, it is recommended you encrypt your CloudTrail log files to avoid CSA benchmark noncompliance.

      • (Optional) Create a new KMS key: You can either create a new KMS key or use an existing one.

      • (Optional) KMS key: Based on the selection from the earlier step, you can either enter a new KMS key or select an existing key from the drop-down list.

        Note

        If you use an existing KMS key, you should edit the policy of the customer managed key (CMK) to decrypt a CloudTrail log file. For more information, see Permissions Required to Decrypt a CloudTrail Log File.

      • Enable log file validation: Yes

      • Send SNS notification for every log file delivery: Yes

      • Create a new SNS topic: If you select Yes, enter the new SNS topic name in the SNS topic field in the next step. If you select No, select an existing topic from the SNS topic drop-down list in the next step.

      • SNS topic: Based on the selection from the earlier step, you can either enter a new SNS topic name or select an existing topic from the drop-down list.

      When finished, click Create.

      Note

      Note the CloudTrail name and region you just created. You need to enter these in the Netskope UI when you create your AWS instance.

  8. Navigate to Services > Security, Identity & Compliance and click IAM.

  9. In the left navigation bar, click Roles and then Create role.

  10. In the Select type of trusted entity page, select Another AWS account.

  11. Enter the account ID you noted from the Netskope UI in step 3.

  12. Select the Require external ID checkbox and enter the external ID you noted from the Netskope UI in step 3.

    Note

    Leave the Require MFA checkbox unchecked.

  13. Click Next: Permissions.

  14. In the Attach permissions policies page, add the SecurityAudit policy and click Next: Tags.

  15. In the Add tags (optional) page, do not add any IAM tags and click Next: Review.

  16. In the Review page, enter a role name and then click Create role.

  17. After creating a role, you need to attach a policy to it. In the Roles page, click on the role you just created.

  18. On the Permissions tab, click + Add inline policy. In the Create Policy page, enter the following details:

    1. From the Service drop-down list, select SNS.

    2. From the Actions drop-down list, select ComfirmSubscription, Subscribe, and Unsubscribe.

    3. In the Resources field, select All resources.

    4. Click Add additional permissions.

    5. From the Service drop-down list, select S3.

    6. From the Actions drop-down list, select GetObject.

    7. In the Resources field, select All resources.

    8. Click Add additional permissions.

    9. From the Service drop-down list, select CloudTrail.

    10. From the Actions drop-down list, select DescribeTrails and LookupEvents.

    The inline policy definition should look like this in JSON format. You can click the JSON tab to view the policy script.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "cloudtrail:LookupEvents",
                    "sns:Unsubscribe",
                    "sns:Subscribe",
                    "sns:ConfirmSubscription",
                    "cloudtrail:DescribeTrails"
                ],
                "Resource": "*"
            }
        ]
    }
  19. Click Review Policy.

  20. Enter the name of the policy and click Create Policy.

  21. In the Summary page, note the Role ARN value. You need to enter this in the Netskope UI when you create your AWS instance.

Permissions Required to Decrypt a CloudTrail Log File

You should edit the policy of the customer managed key (CMK) to ensure Netskope can decrypt the CloudTrail log files. Follow the instructions below.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Click the key that you used while creating a CloudTrail.

  5. Under the Key policy tab, click Edit.

  6. Enter the following piece of code to decrypt a CloudTrail log:

    {
        "Sid": "Enable cross account log decryption",
        "Effect": "Allow",
        "Principal": 
        {
            "AWS": "*"
        },
        "Action": 
        [
            "kms:Decrypt",
    	"kms:ReEncryptFrom"
        ],
        "Resource": "*",
        "Condition": 
        {
            "StringEquals": 
    	{
    	    "kms:CallerAccount": "[account-id]"
    	},
    	"StringLike": 
    	{
    	    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:[account-id]:trail/*"
    	}
        }
    }

    Note

    Replace the [account-id] parameter with the AWS account ID number. To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account number (ID) appears in the Support Center title bar.

  7. Click Save changes.

Create an AWS Instance in API Data Protection

To create an AWS instance in API Data Protection:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Settings > API Data Protection > Cloud Infrastructure > AWS > Setup.

  3. The New Setup window opens. Enter the following parameters:

    • AWS Account Name: Enter a unique name of the AWS account.

    • Admin email: Enter the email address to receive email notification when a policy is triggered.

      Note

      You can set a notification on the Policies > API Data Protection > NEW POLICY wizard page.

    • Connection Type:

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

      • Audit Log Collection: Select this option to use your AWS CloudTrail to scan audit logs.

    • Role: Enter the AWS resource name of IAM role you noted in step 21.

    • CloudTrail Name: To scan audit reports, enter the name of the CloudTrail created in step 7.

    • CloudTrail Region: To scan audit reports, enter the region code for the CloudTrail. To identify the region in the AWS console:

      1. Log in to the AWS console.

      2. In the AWS services page, go to All Services > Management Tools and click CloudTrail.

      3. In the left navigation bar, click Trails.

      4. Hover the mouse over All and note the region name.

        AWSCloudTrailRegion.png
      5. Use this URL to determine the code associated with the region name:

        https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions

  4. Click Save, then click Grant Access for the AWS instance you just created.

Refresh your browser, and you should see a green check icon next to the instance name. Netskope creates a subscription to the topic you created, and start receiving logs.