Netskope Help

Prerequisites
  • Netskope tenant host name and API token. Refer to the Netskope REST API documentation located here.

  • Permissions for the script to create resources/policies in the sub-accounts. An AWS sub-account can be configured for CSA in a couple of ways:

    1. Using a role that belongs to the sub-account and can be assumed from the master account. In this case, the role details (ARN and External ID) and the master account credentials (access key and secret key) must be populated in the “assume_role” section in the JSON Configuration File Template. The role must be configured with an external ID (even though both master and sub-account belong to the same customer/organization) and is recommended to have "AdministratorAccess" policy attached.

      Note

      The AdministratorAccess permission is granted only to the master account within the customer’s organization, not to Netskope. If a role with lower privileges is preferred, refer to Lower Privilege for Sub-Account Role that Trusts Master Account.

    2. Using the access token for a user that exists in the sub-account itself. In this case, the access key ID and secret access key of that user must be populated in the “token” section in the JSON Configuration File Template. The user must have "AdministratorAccess" policy permission. For lower privileges, refer to the Lower Privilege for Sub-Account Role that Trusts Master Account.

JSON Configuration File Template

The name of the configuration file can be anything as long as it matches the name specified in the script arguments. For each AWS account to be set up, create one entry in the “instances” JSON array.

{
    "instances":
    [  
        {  
            "config":
            {  
                "instance_name":"...",
                "securityscan_interval":60,
                "email_id":"...",
                "use_for":
                [           
                    "securityscan"
                ]
            },
            "credentials":
            {  
                "assumeRole":{  
                "role_arn":"...",
                "external_id":"...",
                "access_key_id":"...",
                "secret_access_key":"..."
            },
            "token":
            {  
                "access_key_id":"...",
                "secret_access_key":"..."
            }
        }
    ]
}
  • instance_name: [REQUIRED] Name of Instance. Instance name should only have alphanumeric characters without any special characters or spaces. It is recommended to have the instance_name be the same as the AWS account name.

  • securityscan_interval: [REQUIRED] Selected interval to run Security Scan in minutes. Allowed values are 30, 60, 120, 360, 1440.

  • email_id: [REQUIRED] Email of the User. It is recommended that this email is the owner of the Account, but you can use a single email for all the sub-accounts.

  • use_for: [REQUIRED] Netskope feature to be used. For CSA scans only use “securityscan”.

  • credentials:

    • assumeRole: [OPTIONAL] Details of role with required privileges to run CFT template.

      • role_arn: [REQUIRED] ARN of the role in the sub-account that has a trust relationship with the master account. The role should be set up with an external ID and permission should have "AdministratorAccess" policy.

      • external_id: [REQUIRED] External ID provided in the IAM role above.

      • access_key_id: [REQUIRED] The access key ID of the user in the master account which has STS policy with read/write permissions for all resources.

      • secret_access_key: [REQUIRED] Secret access key of the user in the master account

    • token: [OPTIONAL] Credentials of an AWS user with required privileges to run CFT template.

      • access_key_id: [REQUIRED] IAM access key ID for the account to be added to Netskope IaaS

      • secret_access_key: [REQUIRED] IAM secret access key for the account to be added to Netskope IaaS

    Note

    Either assumeRole or token is mandatory.

Configuration File Example

The example file below configures <sub-account 1> using roles and <sub-account 2> using user access tokens.

{
    "instances":
    [  
        {  
            "config":
            {  
                "instance_name":"<sub-account 1 name>",
                "securityscan_interval":60,
                "email_id":"<account1_admin@company.com>",
                "use_for":
                [
                    "securityscan"
                ]
            },
            "credentials":
            {  
                "assumeRole":
                {  
                    "role_arn":"arn:aws:iam::<id>:role/master-admin-role",
                    "external_id":"<external id string>",
                    "access_key_id":"<access key id of master account>",
                    "secret_access_key":"<secret access key of master account>"
                }
            }
        },
        {  
            "config":
            {  
                "instance_name":"<AWS sub-account 2>",
                "securityscan_interval":60,
                "email_id":"<account2_admin@company.com>",
                "use_for":
                [  
                    "securityscan"
                ]
            },
            "credentials":
            {  
                "token":
                {  
                    "access_key_id":"<access key id of sub-account 2>",
                    "secret_access_key":"<secret access key of sub-account 2>"
                }
            }
        }
    ]
}