Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Installing Netskope One DSPM via AWS CloudFormation

    Table of Contents

    Overview Prerequisites Configure CloudFormation Stack Generate API Keys Next Steps

    This article applies to customers who self-host a Netskope One DSPM instance within their own infrastructure.

     

    Overview

    These instructions are used to define an AWS CloudFormation template that provisions all AWS resources necessary for running a Netskope One DSPM environment within your own AWS VPC. 

    Prerequisites

    Before beginning, the Netskope One DSPM application AMI needs to be shared with your organization. To request a trial AMI, please contact your CSM and supply:

    • Your AWS account number; and
    • The AWS region where you will deploy the Netskope One DSPM instance (which we require in order to share the image).
    • Ensure you have a SSH key pre-configured in the AWS account where you will deploy the Netskope One DSPM instance.  Visit the AWS EC2 console to check if your desired SSH key pair exists, or create one yourself

    Configure CloudFormation Stack

    Excerpt: AWS: Configure CloudFormation: Instructions 1

    For the account where you will configure the CloudFormation stack, log into the A

    1. For the account where you will configure the CloudFormation Stack, log into the AWS console. The CloudFormation Stacks dashboard is displayed.
    2. Select the target region, if necessary.
    3. On the dashboard, click the Create Stack button and select the “With new resources (standard)“ option. The Step 1 screen is displayed.
    4. Under the Specify template section, enter the following value in the Amazon S3 URL field:
    https://dasera-release.s3.us-west-2.amazonaws.com/CreateDaseraVMFromAMIAndDaseraUser.json

    Excerpt: AWS: Configure CloudFormation: Instructions 2

    In Step 2, under the Parameters section, enter the following values:

    1. Click the Next button. The Step 2 screen is displayed.
    2. Complete the required Name field.
    3. Under the Parameters section, enter the following values:
    Parameter Value
    ExternalID Enter the like-named value from the previous section above.
    Parameter Value
    AMIImageId AMI ID of the Netskope One DSPM image shared with your organization. This value can be found in your AMI Catalog in the My AMIs section. Clear all filters and filter by Owner = “Shared With Me”. 
    SSHKey Name of the SSH key you wish to install on the instance. Installing patches and security updates requires an admin to connect to the instance via SSH.
    SecurityGroupId Your own AWS security group that you wish to associate. Please ensure the security group belongs to the same network as the subnet you will launch Netskope One DSPM, otherwise deployment will fail.
    SubnetId Subnet to launch the Netskope One DSPM instance into. This will determine the VPC and availability zone of the Netskope One DSPM instance.

    Excerpt: AWS: Configure CloudFormation Stack: Instructions 3

    Proceed with configuring the remainder of your CloudFormation deployment as desired. When ready, navigate to the final step, click the Submit button, and monitor the build to completion.

    To learn more about the resources created by the above actions, please expand the following section:

    Resources Created

    On the Resources tab, the following resources are listed:

    Resource Type Resource Name
    EC2 Instance (m5.2xlarge) Netskope One DSPMInstance
    IAM Role Netskope One DSPMRole
    IAM Role Netskope One DSPMGlueServiceRole
    IAM User Netskope One DSPMUser

    Configure CloudFormation Stack: Roles

    In addition, the following permissions are assigned to the new IAM Roles:  Role N

    In addition, the following permissions are assigned to the new IAM Roles: 

    Role Name: Netskope One DSPMRole

    Permission Name Purpose
    AWSGlueConsoleFullAccess Provides full access to AWS Glue via the AWS Management Console
    AmazonEC2ReadOnlyAccess For getting regions and instance IDs
    AmazonRDSReadOnlyAccess For discovering RDS clusters
    AmazonRedshiftReadOnlyAccess Required for discovering RedShift clusters
    AmazonAthenaFullAccess Required for discovering Athena clusters and running scans
    AmazonS3ReadOnlyAccess Required for scanning S3
    AmazonDynamoDBReadOnlyAccess Required for scanning DynamoDB

    Role Name: Netskope One DSPMGlueServiceRole

    Permission Name Purpose
    AmazonS3ReadOnlyAccess Required for scanning S3
    AWSGlueServiceRole Required to allow access to related services including EC2, S3, and Cloudwatch Logs
     
     

    Generate API Keys

    Once your deployment is complete, you will need API keys for later use in connecting Netskope One DSPM to the current AWS Account. Generate a new pair using the following instructions:

    Excerpt: AWS: Generate API Keys

    Navigate to the IAM Management Console > Users section . The Users list is dis

    1. Navigate to the IAM Management Console > Users section.
    2. The Users list is displayed.
    3. In the User name column, click on the Netskope One DSPM User hyperlink.
    4. The User Summary screen is displayed.
    5. Navigate to the Security credentials tab.
    6. Under the Access Key section, click the Create access key button.
    7. The Create access key modal is displayed.
    8. Download or copy the following values to your local machine for later use:
      1. Access key ID
      2. Secret access key

    Next Steps

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support