Netskope Help

Enabling Data Protection for AWS S3

You can simultaneously add multiple AWS accounts in a single region to your Netskope tenant.

To configure your AWS accounts for Data Protection,

  1. Make a list of AWS accounts you want to configure for DLP Scan and Threat Protection (Malware Scan). The list must include account numbers and account names. Optionally, you can also include email addresses associated with the account.

    Note

    Netskope recommends using the same account name as the AWS account alias. If an account alias is not available for the AWS account, then provide an account name for the AWS account.

    You can use AWS CLI to generate the list of AWS accounts as a CSV file. To learn more, see "Creating a CSV file" in Step 1/2: Configure AWS Accounts & Services for Data Protection.

  2. Ensure that the CloudWatch service is running on your AWS accounts. Data Protection feature requires CloudWatch service to receive notifications.

    Netskope listens to the following CloudWatch events.

    • CREATE_BUCKET

    • DELETE_BUCKET

    • RESTORE_OBJECT

    • PUT_OBJECT

    • PUT_OBJECT_ACL

    • COPY_OBJECT

    • DELETE_OBJECT

    • CREATE_MULTIPART_UPLOAD

    • UPLOAD_PART, UPLOAD_PART_COPY

    • COMPLETE_MULTIPART_UPLOAD

    To learn more about setting up CloudWatch, see the AWS documentation on CloudWatch.

  3. In the Netskope UI go to Settings > API-enabled Protection > IaaS. Click Setup.

  4. Follow the instructions in the following sections.

    Note

    If you have existing AWS accounts that were configured using the old set up process, you can migrate them using the instructions in Migrating existing AWS accounts to the new set up.

    Migrating to the new setup will enable you to automatically add new AWS accounts into Netskope.

  5. After you complete the setup, enable object-level logging for S3 buckets to ensure that there are no delays in receiving event notifications. To learn more, see the following AWS documentation links.