Netskope Help

Setting up Multiple AWS Instances

You can setup multiple AWS instances to perform Continuous Security Assessments (CSA) on an AWS account using the Netskope platform. The process requires the following two steps.

  1. The customer AWS account needs to be configured to provide Netskope with the appropriate permissions to scan the resources in the account.

  2. An API Data Protection Cloud Infrastructure account (instance) needs to be set up in the Netskope UI.

Netskope Public Cloud Security provides support for two services, Security Scan (CSA) and Storage Scan (DLP/Malware Scan).

The Storage Scan solution requires Netskope to be notified of specific S3 events, such as bucket creation, bucket deletion, object creation, etc. For receiving notifications for these events, you need to set up SNS topics in each of the regions of the AWS account to send the notifications to Netskope. We automated creation of the SNS topics and HTTP subscription to these topics via a CFT, which gets deployed during the Netskope instance creation process.

Netskope deploys this CFT so we need the permissions for cloudformation. We also take care of deleting the created stacks during the Netskope instance deletion process. This saves you the time for setting up the SNS topics in each of the regions manually, and then subsequently deleting these resources once the instance is deleted.

For more details about this setup procedure and the required permissions, click here.

A CLI-based script allows you to set up multiple AWS instances for CSA without having to perform the above two steps individually (in the Netskope UI) for each AWS account.


With this script, Netskope currently supports the creation of instances configured for CSA only.

The input to this script is provided via a JSON configuration file that contains the list of AWS accounts to be configured for CSA and the configuration details of those AWS accounts/API Data Protection instances. This script reads the configuration file created by the customer and performs the two setup steps:

  • Configures the AWS accounts listed the configuration file to provide permission for Netskope to scan the resources in those accounts. This configuration is done by generating and executing an AWS Cloud Formation Template (CFT) to create the appropriate resources and policies.

  • Sets up the corresponding API Data Protection accounts (instances) in the Netskope UI.