Step 2/2: Configure AWS Permissions for Forensic

Step 2/2: Configure AWS Permissions for Forensic

Netskope requires permissions to perform certain actions in the AWS account such as creating a stack to receive CloudWatch events. This screen provides a customized CFT with permissions required to set up cross account access between Netskope and your AWS accounts. The permissions defined in the CFT are updated based on the services you’ve enabled in the Accounts & Services page.

You can review the CFT to understand the various permissions required by Netskope.


Ensure that the AWS account has the permissions required to run the Netskope for IaaS services.

To complete the set up you must:

  1. Download the CFT.
  2. In the AWS account, create a new S3 bucket to be your forensic destination.
  3. In the AWS account, upload the downloaded CFT to a new CloudFormation stack.
  4. Confirm that a cross account role with the required permissions is created.

Follow the detailed instructions below to complete the set up.

  1. In the Permissions screen of the New Setup window, click the link to download the CFT.
  2. Log in to the AWS Management Console using the credentials of the AWS account you are setting up with Netskope for IaaS and navigate to Services > Storage > S3.
  3. Create a new S3 bucket where you want Netskope to store forensic objects. Ensure that your S3 bucket follows the naming rules specified by AWS.

    To learn more about bucket naming rules, see the AWS documentation.

  4. Navigate to Services > CloudFormation. In the CloudFormation page, click Create stack.

    To create a stack with new resources, choose With new resources (standard).

    To create a stack with existing resources, choose With existing resources (import resources).

  5. Select Upload a template file and click Choose file to upload the aws-instance-setup.yml. Click Next.
  6. In the Specify stack details page, specify a Stack name.

    The stack name must:

    • Only contain alphanumeric characters and hyphens,
    • start with an alphabet, and
    • not exceed128 characters.
  7. In the Parameters section of this page, specify the name of the new S3 bucket you created in step 3 above. Click Next.
  8. In the Configure stack options page, use the default configuration, and click Next.
  9. Review your stack details on the Review page, click the acknowledgment and then click Create stack.

    When the creation process is complete, your stack will be displayed on the CloudFormation page.

    You can click on the stack to view the details about the stack. The Resources tab displays the various components that are part of aws-instance-setup.yml. The Template tab displays the permissions defined in the template.

  10. In the Netskope UI, confirm that a cross account role with permissions is created in the AWS account. Click Add Accounts.

    Netskope adds the AWS account to the Settings > Configure App Access > Classic > IaaS page. The page also displays the services that are enabled for each account.


Once you set up the instance with forensic enabled, you should create a forensic profile. To learn more: Creating a Forensic Profile for Public Cloud Storage.

What happens in the process?

Netskope lists all S3 buckets of the AWS account post instance setup and saves the metadata of all the S3 buckets in the database. This metadata enables Netskope to write and download to/from the S3 bucket chosen as forensic destination. However, the write and download permissions are only requested for a single bucket chosen as forensic destination.


The s3:List-related permissions are required because Netskope is not aware of the S3 bucket chosen as forensic destination.

AWS Permissions for Forensics PolicyPurpose
s3:GetObjectThis implementation of the GET operation retrieves objects from Amazon S3.
s3:PutObjectThis implementation of the PUT operation puts objects that violate DLP Forensics into an Amazon S3 bucket.
s3:ListBucketLists a specific bucket
s3:ListAllMyBucketsThis implementation of the GET operation returns a list of all buckets owned by the authenticated sender of the request.
s3:GetBucketLocationThis implementation of the GET operation uses the location sub-resource to return a bucket’s region.


The NetskopeStack is managed by Netskope and must not be manually updated.

To learn more about defining an S3 bucket as the forensic destination: Create a Forensic Profile.

Share this Doc

Step 2/2: Configure AWS Permissions for Forensic

Or copy link

In this topic ...