FAQs related to AWS instance setup for forensics
FAQs related to AWS instance setup for forensics
The following topic covers frequently asked questions and common scenarios when setting up AWS instance setup for forensics.
Using an S3 bucket as a forensics destination using SSE-KMS with customer-managed keys
You must configure your AWS environment to provide Netskope with the necessary permissions to enable forensics upload/download from the S3 bucket used as a forensics destination, with server-side encryption using KMS with customer-managed keys.
To provide the required permissions to Netskope, copy the IAM role created by Netskope’s CFT into each KMS key policy and provide the specified Sid and Action.
Follow these detailed instructions:
-
Log in to the AWS Management Console using the credentials of the AWS account you are setting up with Netskope for IaaS and navigate to Services > IAM > Roles.
-
Under Roles, search for Netskope_Role and copy the Role ARN for this role.
-
Navigate to Services > Key Management Service.
-
Under Customer managed keys go to each KMS key used to encrypt S3 Buckets and edit the Key policy.
-
Under the Key policy of each KMS key, click Edit.
Edit the Statement section of the policy to include the following:
{ "Sid": "Enable Netskope to use KMS", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<customer_account_id>:role/Netskope_Role" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey", "kms:Encrypt" ], "Resource": "*" }
-
Edit the Sid to Enable Netskope to use KMS.
-
Paste the Role ARN of Netskope_Role under AWS.
-
Edit Action according to the action list above.
-
Save the key policy changes as AWS-KMS.