This article applies to customers who self-host a Netskope One DSPM instance within their own infrastructure.
Overview
These instructions are used to create a Netskope One DSPM users in AWS VPCs outside of the VPC which hosts your Netskope One DSPM instance. This grants the Netskope One DSPM instance the visibility necessary to discover & scan Data Stores within those outside AWS VPCs.
If you plan to only connect Data Stores that also reside in the same VPC as your Netskope One DSPM instance, these steps can be skipped.
Prerequisites
Netskope One DSPM has already been installed within your own infrastructure. For more information on that process, please visit our Installing Netskope One DSPM via AWS CloudFormation article.
Configure CloudFormation Stack
Configure CloudFormation Stack: Secondary Users
Configure CloudFormation Stack: Instructions For the account where you will confi
Configure CloudFormation Stack: Instructions
For the account where you will configure the CloudFormation stack, log into the A
- For the account where you will configure the CloudFormation Stack, log into the AWS console. The CloudFormation Stacks dashboard is displayed.
- Select the target region, if necessary.
- On the dashboard, click the Create Stack button and select the “With new resources (standard)“ option. The Step 1 screen is displayed.
- Under the Specify template section, enter the following value in the Amazon S3 URL field:
https://Netskope One DSPM-release.s3.us-west-2.amazonaws.com/CreateNetskope One DSPMUser.jsonExcerpt: AWS: Configure CloudFormation Stack: Instructions 3
Proceed with configuring the remainder of your CloudFormation deployment as desired. When ready, navigate to the final step, click the Submit button, and monitor the build to completion.
To learn more about the resources created by the above actions, please expand the following section:
Resources Created
On the Resources tab, the following resources are listed:
| Resource Type | Resource Name |
|---|---|
| IAM Policy | Netskope One DSPMPolicy |
| IAM Role | Netskope One DSPMRole |
| IAM Role | Netskope One DSPMGlueServiceRole |
| IAM User | Netskope One DSPMUser |
Configure CloudFormation Stack: Roles
In addition, the following permissions are assigned to the new IAM Roles: Role N
In addition, the following permissions are assigned to the new IAM Roles:
Role Name: Netskope One DSPMRole
| Permission Name | Purpose |
|---|---|
| AWSGlueConsoleFullAccess | Provides full access to AWS Glue via the AWS Management Console |
| AmazonEC2ReadOnlyAccess | For getting regions and instance IDs |
| AmazonRDSReadOnlyAccess | For discovering RDS clusters |
| AmazonRedshiftReadOnlyAccess | Required for discovering RedShift clusters |
| AmazonAthenaFullAccess | Required for discovering Athena clusters and running scans |
| AmazonS3ReadOnlyAccess | Required for scanning S3 |
| AmazonDynamoDBReadOnlyAccess | Required for scanning DynamoDB |
Role Name: Netskope One DSPMGlueServiceRole
| Permission Name | Purpose |
|---|---|
| AmazonS3ReadOnlyAccess | Required for scanning S3 |
| AWSGlueServiceRole | Required to allow access to related services including EC2, S3, and Cloudwatch Logs |
Generate API Keys
Once your deployment is complete, generate API keys for later use in connecting Netskope One DSPM to the current AWS Account.
Generate API Keys
Navigate to the IAM Management Console > Users section . The Users list is dis
- Navigate to the IAM Management Console > Users section.
- The Users list is displayed.
- In the User name column, click on the Netskope One DSPMUser hyperlink.
- The User Summary screen is displayed.
- Navigate to the Security credentials tab.
- Under the Access Key section, click the Create access key button.
- The Create access key modal is displayed.
- Download or copy the following values to your local machine for later use:
- Access key ID
- Secret access key
Next Steps
Connect your Netskope One DSPM instance to the AWS Account for the new users configured above. To learn more, visit our Introduction to Onboarding AWS Accounts article.