Overview
Netskope One DSPM supports scanning AWS Athena data stores, often used as a wrapper for different data services. Follow these instructions to set up Athena and configure its connection to Netskope One DSPM.
Retrieve Connection Information
Data Store Endpoint
Use the default endpoint, which is in the below format:
athena.{region}.amazonaws.comFor example: https://athena.us-east-2.amazonaws.com
In case of a custom setup within a VPC, please contact your DevOps team to get the connection details.
Athena S3 Output Location
This can be any secure, accessible S3 bucket to which Netskope One DSPM has “write” privileges. For example: s3://athena-query-results/.
Athena Catalog Name
This refers to the data source Athena is querying and requires an integration with AWS Glue. First you'll need to set up your crawler for Athena. Once set up, go to your Athena console, then click on Data sources in the left side nav, under Administration.
Note the Data source name value for the Athena Catalog Name field in the Netskope One DSPM data store connection wizard.
Athena Workgroup
From the Athena console, click on Workgroups from the left side nav under Administration. Click on the Workgroup name for your Athena engine. You may need to create a non-default workgroup for Netskope One DSPM to use if only the default is set up when connecting.
Note the Workgroup name value for the Athena Workgroup field in the Netskope One DSPM data store connection wizard.
Please note that Netskope One DSPM queries up to the per-query control limit for the selected Workgroup to limit costs. Do not select the default, as it may be unlimited.
Connect Your Data Store
Excerpt: Connect Your Data Store 1
Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento
- Log into the Netskope One DSPM platform.
- Navigate to Data Stores → Data Store Inventory.
- Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
- Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.
- The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
- Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
- On the PROVIDE CREDENTIALS tab, complete the following fields:
| Field | Value |
|---|---|
| AWS Account Name | Select one of the AWS Accounts defined within the Infrastructure Section screen. The field will default if there is just one AWS account configured. |
| Data Store Identifier | Friendly name to describe this Data Store. Your value is displayed in other Netskope One DSPM screens, such as Policy Management and Classification Management. |
| Data Store Endpoint | Enter the corresponding value from the Retrieve Connection Information: Data Store Endpoint section above. |
| Athena S3 Output Location | Enter the corresponding value from the Retrieve Connection Information: Athena S3 Output Location section above. |
| Athena Catalog Name | Enter the corresponding value from the Retrieve Connection Information: Athena Catalog Name section above. |
| Athena Workgroup | Enter the corresponding value from the Retrieve Connection Information: Athena Workgroup Name section above. |
| Sidecar Pool | Excerpt: Connect Your Data Store: Credentials: Sidecar PoolIf you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool. To learn more, please visit our Sidecar Administration article. |
| Scan Frequency | Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override (if desired). |
Excerpt: Connect Your Data Store 2
Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP
- Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
- Complete the following fields:
- Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
- Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
- Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
| Capability | Supported for AWS Athena |
|---|---|
| Discovery | Yes |
| Privilege Analysis | Not applicable (as there are no database users and access is controlled via IAM Roles) |
| Shadow Data Analysis | Yes |
| Classification | Yes |
| Data-in-Use Monitoring | Yes (custom query logs only) |
| Automation | Yes (always-on) |
Excerpt: Connect Your Data Store 3
Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab
- Click the SAVE button, which will navigate you to the next tab.
- On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
- Click the SAVE button to finalize your connection.