Netskope Help

Scanning S3 Buckets encrypted with KMS keys

You must configure your AWS environment to provide Netskope with the necessary permissions to enable storage scan on S3 Buckets that are encrypted with KMS keys.

To provide the required permissions to Netskope, copy the IAM role created by Netskope's CFT into each KMS key policy and provide the specified Sid, Action and Condition.

Follow these detailed instructions.

  1. Log in to the AWS Management Console using the credentials of the AWS account you are setting up with Netskope for IaaS and navigate to Services > IAM > Roles.

  2. Under Roles, search for Netskope_Role and copy the Role ARN for this role.

  3. Navigate to Services > Key Management Service.

  4. Under Customer managed keys go to each KMS key used to encrypt S3 Buckets and edit the Key policy.

  5. Under the Key policy of each KMS key, click Edit.

  6. Edit the Statement section of the policy to include the following:

    {
                "Sid": "Enable Netskope to use KMS via S3",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<customer_account_id>:role/Netskope_Role"
                },
                "Action": "kms:Decrypt",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "kms:ViaService": "s3.us-west-1.amazonaws.com"
                    }
                }
            }
    • Edit the Sid to Enable Netskope to use KMS via S3.

    • Paste the Role ARN of Netskope_Role under AWS.

    • Edit Action to kms:Decrypt.

    • Add the Condition as provided above.

      The condition key ensures that Netskope does not perform any action directly on the KMS key but only through the S3 managed service.

      Note

      Since KMS can only encrypt buckets in the same region as the key ensure that kms:ViaService matches the region of the KMS key.

  7. Save the key policy changes as AWS-KMS.