Netskope Help

Configure AWS for Continuous Security Assessment

Tip

If you have already set up an instance for CloudTrail and want to scan an S3 bucket or Security Assessment, simply attach the permissions required for CloudTrail or Security Assessment to the existing role, and then enable the CloudTrail or Security Assessment check-boxes in the Netskope UI.

Note

Netskope normalizes the term "Account" to help with cross CSP summaries. Netskope normalized “Account” field maps to AWS Account.

To configure AWS for continuous security assessment:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and navigate to Settings > API Data Protection > Cloud Infrastructure.

  2. Select the AWS icon, and then click SETUP.

    The New Setup window opens.

  3. Under AWS Role, note the Netskope Account ID and Netskope External ID. You need to enter these into the AWS console in steps 8-9.

  4. Log in to AWS console.

  5. Navigate to Services > Security, Identity & Compliance and click IAM.

  6. In the left navigation bar, click Roles and then Create role.

  7. In the Select type of trusted entity page, select Another AWS account.

  8. Enter the account ID you noted from the Netskope UI in step 3.

  9. Select the Require external ID checkbox and enter the external ID you noted from the Netskope UI in step 3.

    Note

    Leave the Require MFA checkbox unchecked.

  10. Click Next: Permissions.

  11. In the Attach permissions policies page, add the SecurityAudit policy and click Next: Tags.

  12. In the Add tags (optional) page, do not add any IAM tags and click Next: Review.

  13. In the Review page, enter a role name and then click Create role.

  14. After creating a role, you need to attach a policy to it. In the Roles page, click on the role you just created.

  15. On the Permissions tab, click + Add inline policy. In the Create Policy page, enter the following details:

    1. From the Service drop-down list, select DynamoDB.

    2. From the Actions drop-down list, select ListTagsOfResource.

    3. In the Resources field, select All resources.

    4. Click Add additional permissions.

    5. From the Services drop-down list, select SES.

    6. From the Actions drop-down list, select ListIdentityPolicies.

    7. Click Add additional permissions.

    8. From the Service drop-down list, select Lambda.

    9. From the Actions drop-down list, select all actions starting with Get (8 actions) and List (7 actions) strings.

    10. In the Resources field, select All resources.

    11. Click Add additional permissions.

    12. From the Service drop-down list, select S3.

    13. From the Actions drop-down list, select GetBucketLocation, GetObject, GetObjectAcl, ListAllMyBuckets, and ListBucket.

    14. In the Resources field, select All resources.

    15. From the Service drop-down list, select SQS.

    16. From the Actions drop-down list, select ListDeadLetterSourceQueues, ListQueues, GetQueueAttributes, and GetQueueUrl.

    17. In the Resources field, select All resources.

    The inline policy definition should look like this in JSON format. You can click the JSON tab to view the policy script.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "lambda:ListVersionsByFunction",
                    "lambda:GetLayerVersion",
                    "dynamodb:ListTagsOfResource",
                    "s3:ListBucket",
                    "lambda:GetAccountSettings",
                    "lambda:GetFunctionConfiguration",
                    "lambda:GetLayerVersionPolicy",
                    "s3:GetObjectAcl",
                    "lambda:ListLayerVersions",
                    "lambda:ListLayers",
                    "lambda:GetAlias",
                    "sqs:ListQueues",
                    "sqs:GetQueueUrl",
                    "lambda:ListFunctions",
                    "lambda:GetEventSourceMapping",
                    "lambda:GetFunction",
                    "lambda:ListAliases",
                    "sqs:GetQueueAttributes",
                    "s3:GetBucketAcl",
                    "ses:ListIdentityPolicies",
                    "s3:GetObject",
                    "sqs:ListDeadLetterSourceQueues",
                    "s3:ListAllMyBuckets",
                    "lambda:ListEventSourceMappings",
                    "s3:GetBucketLocation",
                    "lambda:GetPolicy"
                ],
                "Resource": "*"
            }
        ]
    }
  16. Click Review policy.

  17. Enter the name of the policy and click Create Policy.

  18. In the Summary page, copy the Role ARN value. You need to enter this in the Netskope UI when you create your AWS instance.

Create an AWS Instance in API Data Protection

To create an AWS instance in API Data Protection:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Settings > API Data Protection > Cloud Infrastructure > AWS > SETUP.

  3. The New Setup window opens. Enter the following parameters:

    • AWS Account Name: Enter a unique name of the AWS account.

    • Admin email: Enter the email address to receive email notification when a policy is triggered.

      Note

      You can set a notification on the Policies > API Data Protection > NEW POLICY wizard page.

    • Connection Type:

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

      • Security Assessment: Select this option to assess your AWS resources. Also, you have the option to run the policy at intervals (30 minutes, 60 minutes, 2 hours, 6 hours, and 24 hours).

        Note

        Netskope recommends setting the interval to 60 minutes or more.

    • Role: Enter the AWS resource name of IAM role you copied in step 19.

      Note

      CloudTrail name and region are not required for Security Assessment.

  4. Click Save, then click Grant Access for the AWS instance you just created.

Refresh your browser, and you should see a green check icon next to the instance name. Navigate to the Policies > Security Assessment page to create a security assessment policy, profile, and rule. Once you create a policy, Netskope accesses and analyzes the posture of the AWS resources and alerts the administrator for risk and possible remediation. You can view the AWS security assessment dashboard by navigating to the Cloud Infrastructure page.