Netskope Help

Configure AWS S3 for DLP Scanning and Threat Protection

Adding the Netskope app to your AWS account has these requirements:

  • Create or have access to an existing S3 bucket, SNS topic, and CloudTrail service.

  • Create a role for Netskope to grant permissions.

Important

  • Till release 49, an S3 bucket would use the SNS topic to send S3 bucket-related notifications to Netskope. Starting from release 50, CloudTrail subscription uses the SNS topic to send S3 bucket-related notifications to Netskope. Due to this change, it is necessary to create or use an existing CloudTrail subscription. For more information, read the KB article located here.

  • IaaS Storage Scan (DLP and Threat Protection) feature does not support quarantine and legal hold functionalities. If you have configured a DLP or Malware quarantine profile with an external storage provider such as OneDrive, the file would be copied to that location. However, the file would not be removed from its original location in the public cloud storage, AWS S3.

Configure an S3 Bucket, SNS Topic, and CloudTrail Service

To configure AWS S3/CloudTrail for DLP scanning:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and navigate to Settings > API-enabled Protection > IaaS.

  2. Select the AWS icon, and then click SETUP.

    The New Setup window opens.

  3. Under AWS Role, note the Netskope Account ID and Netskope External ID. You need to enter these into the AWS console in steps 11-12.

  4. Log in to the AWS console.

  5. In the AWS services page, navigate to All Services > Management Tools and click CloudTrail.

  6. In the left navigation bar, click Trails, and then click Create trail (or select an existing trail).

  7. For a new trail, enter these parameters:

    • Trail name: Enter a unique name.

    • Apply trail to all regions: Yes

    • Management events > Read/Write events: All

    • Enable data events for S3 bucket(s). To do so:

      1. Navigate to the Data events section and select the S3 tab.

      2. Either select all S3 buckets in your account or add a specific S3 bucket.

      3. Enable the Read and Write checkbox.

      Note

      Additional charges may apply once you enable data events for S3 buckets. Learn more

    • Create a new S3 bucket: Yes

      Note

      You can use an existing S3 bucket as an option.

    • S3 bucket: New S3 bucket where you would like your logs delivered. CloudTrail creates the bucket and applies the appropriate policy.

    • Click Advanced

      • (Optional) Encrypt log files with SSE-KMS: Yes

        This step is optional. You can keep the default setting to No. However, it is recommended you encrypt your CloudTrail log files to be CIS compliant.

      • (Optional) Create a new KMS key: You can either create a new KMS key or use an existing one.

        Note

        If you use an existing KMS key, you should edit the policy of the customer managed key (CMK) to decrypt a CloudTrail log file. For more information, see Permissions Required to Decrypt a CloudTrail Log File.

      • (Optional) KMS key: Based on the selection from the earlier step, you can either enter a new KMS key or select an existing key from the drop-down list.

      • Enable log file validation: Yes

      • Send SNS notification for every log file delivery: Yes

      • Create a new SNS topic: If you select Yes, enter the new SNS topic name in the SNS topic field in the next step. If you select No, select an existing topic from the SNS topic drop-down list in the next step.

      • SNS topic: Based on the selection from the earlier step, either enter a new SNS topic name or select an existing topic from the drop-down list.

      When finished, click Create.

      Note

      Note the CloudTrail name and region you just created. You need to enter these in the Netskope UI when you create your AWS instance.

    Next, create a role for Netskope to grant permissions.

  8. Navigate to Services > Security, Identity & Compliance and click IAM.

  9. In the left navigation bar, click Roles and then Create role.

  10. In the Select type of trusted entity page, select Another AWS account.

  11. Enter the account ID you noted from the Netskope UI in step 3.

  12. Select the Require external ID checkbox and enter the external ID you noted from the Netskope UI in step 3.

    Note

    Leave the Require MFA checkbox unchecked.

  13. Click Next: Permissions.

  14. In the Attach permissions policies page, add the SecurityAudit policy and click Next: Tags.

  15. In the Add tags (optional) page, do not add any IAM tags and click Next: Review.

  16. In the Review page, enter a role name and then click Create role.

  17. After creating a role, you need to attach a policy to it. In the Roles page, click on the role you just created.

  18. On the Permissions tab, click + Add inline policy. In the Create Policy page, enter the following details:

    1. From the Service drop-down list, select SNS.

    2. From the Actions drop-down list, select ConfirmSubscription, Subscribe, and Unsubscribe.

    3. In the Resources field, select All resources.

    4. Click Add additional permissions.

    5. From the Service drop-down list, select S3.

    6. From the Actions drop-down list, select GetBucketLocation, GetObject, GetObjectAcl, ListAllMyBuckets, ListBucket.

    7. In the Resources field, select All resources.

    8. Click Add additional permissions.

    9. From the Service drop-down list, select CloudTrail.

    10. From the Actions drop-down list, select DescribeTrails and LookupEvents.

    The inline policy definition should look like this in JSON format. You can click the JSON tab to view the policy script.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObjectAcl",
                    "s3:GetObject",
                    "cloudtrail:LookupEvents",
                    "s3:ListAllMyBuckets",
                    "sns:Unsubscribe",
                    "s3:ListBucket",
                    "sns:Subscribe",
                    "sns:ConfirmSubscription",
                    "s3:GetBucketLocation",
                    "cloudtrail:DescribeTrails"
                ],
                "Resource": "*"
            }
        ]
    }
  19. Click Review policy.

  20. Enter the name of the policy and click Create Policy.

  21. In the Summary page, copy the Role ARN value. You need to enter this in the Netskope UI when you create your AWS instance.

Permissions Required to Decrypt a CloudTrail Log File

You should edit the policy of the customer managed key (CMK) to ensure Netskope can decrypt the CloudTrail log files. Follow the instructions below.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Click the key that you used while creating a CloudTrail.

  5. Under the Key policy tab, click Edit.

  6. Enter the following piece of code to decrypt a CloudTrail log:

    {
        "Sid": "Enable cross account log decryption",
        "Effect": "Allow",
        "Principal": 
        {
            "AWS": "*"
        },
        "Action": 
        [
            "kms:Decrypt",
    	"kms:ReEncryptFrom"
        ],
        "Resource": "*",
        "Condition": 
        {
            "StringEquals": 
    	{
    	    "kms:CallerAccount": "[account-id]"
    	},
    	"StringLike": 
    	{
    	    "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:[account-id]:trail/*"
    	}
        }
    }

    Note

    Replace the [account-id] parameter with the AWS account ID number. To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account number (ID) appears in the Support Center title bar.

  7. Click Save changes.

Handle Encrypted S3 Bucket

Note

Netskope only supports SSE-S3 and SSE-KMS encryption modes for S3 buckets. This procedure should be followed only if your S3 buckets are encrypted with customer managed Key Management Service (KMS).

If your S3 buckets are encrypted with customer managed KMS, you should add the Netskope role (that you created in steps 8-18 above) to the key users. To do so, follow the steps below:

  1. Log in to the AWS console.

  2. In the AWS services page, navigate to Services > Security, Identity & Compliance and click IAM.

  3. In the left navigation bar, click Encryption Keys.

  4. On the left navigation bar, click Customer managed keys.

  5. Locate the KMS key used to encrypt the S3 bucket.

  6. Add the Netskope role (that you created in step 16 above) to the key users.

Create an AWS Instance in API Data Protection

To create an AWS instance in API Data Protection:

  1. Log in to the Netskope tenant UI.

  2. Navigate to Settings > API-enabled Protection > IaaS > AWS > SETUP.

  3. The New Setup window opens. Enter the following parameters:

    • AWS Account Name: Enter a unique name of the AWS account.

    • Admin email: Enter the email address to receive email notification when a policy is triggered.

      Note

      You can set a notification on the Policies > API Data Protection > NEW POLICY wizard page.

    • Connection Type:

      Note

      Few of the instance type options may be disabled. Contact your Netskope sales representative for additional information.

      • DLP for S3: Select this option to scan files in your S3 buckets.

      • Threat Protection: Select this option to scan S3 buckets for malware. You can select this option only if you have selected DLP for S3.

        Note

        The Threat Protection feature is optional. Select this option if you intend to scan S3 buckets for malware. You can view the malware alerts in SkopeIT > Alerts and Incidents > Malware pages.

    • Role: Enter the AWS resource name of IAM role you copied in step 21.

    • CloudTrail Name: To scan audit reports, enter the name of the CloudTrail created in step 7.

    • CloudTrail Region: To scan audit reports, enter the region code for the CloudTrail. To identify the region in the AWS console:

      1. Log in to the AWS console.

      2. In the AWS services page, navigate to All Services > Management Tools and clickCloudTrail.

      3. In the left navigation bar, click Trails.

      4. Hover the mouse over All and note the region name.

        AWSCloudTrailRegion.png
      5. Use this URL to determine the code associated with the region name:

        https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions

  4. Click Save, then click Grant Access for the AWS instance you just created.

Refresh your browser, and you should see a green check icon next to the instance name. API Data Protection DLP scans can be performed in AWS S3 buckets. Navigate to the Policies > API Data Protection page, and from here you can select the AWS instance created and perform DLP for all regions, specific regions, or targeted to specific buckets in a region.

Note

AWS S3 DLP violations do not have a dedicated API Data Protection dashboard; administrators and select users receive email alerts specified in the policy, as well as SkopeIT alerts and through Incident Management.

What Triggers a Scan and Billing of AWS S3 Bucket?

Storage scan is billed against number of bytes scanned by DLP and/or malware services. In case of AWS S3 bucket, scanning of an object is triggered in the following scenarios:

  • Uploading and/or reuploading a file to an S3 bucket which has policies configured for DLP and/or malware scans, using AWS CLI, AWS console, or API call ({{'PostObject', 'RestoreObject', 'PutObject', 'PutObjectAcl', 'CopyObject', 'CreateMultipartUpload', 'UploadPart', 'UploadPartCopy', 'CompleteMultipartUpload' }}) programmatically.

  • Renaming a file in an S3 bucket which has policies configured for DLP and/or malware scans, using AWS CLI, or AWS console.

In the above cases, scan occurs irrespective of whether the file/object has changed or not.

For an S3 bucket, there is no other case when a scan is performed. Cases where scan is not performed include:

  • Changing object metadata like tags or access control policies.

  • Deleting an object from an S3 bucket.

  • Reading object using AWS CLI, console or API call (like GetObject API) programmatically.

  • Uploading and/or reuploading a file to an S3 bucket which has no policies configured for DLP and/or malware scans.