Overview
Excerpt: PostgreSQL: AWS: Overview
Netskope One DSPM supports scanning AWS PostgreSQL Data Stores. Follow these instructions to setup your AWS PostgreSQL database and configure its connection to Netskope One DSPM.
Authenticate Data Store
There are two methods for authenticating RDS and Aurora data stores: Snapshots or Service Account.
Using Snapshots
Snapshots are quicker and simpler, spinning up a secure copy of the data store for Netskope One DSPM to scan without needing to create a Service Account. This copy exists only within your Netskope One DSPM instance, and Netskope One DSPM does not store any associated data. It's encrypted and then immediately spun down, so there are no lingering data copies. Please note that spinning up the data store copy can cause the scan initiation process can take several hours.
The following features are not supported when authenticating via Snapshot:
- Privilege Analysis
- Data-in-use monitoring
- Database selection
- Sample data collection
Ensure you've enabled data store Snapshots access during AWS Infrastructure onboarding. For already onboarded accounts, you must manually add permission AmazonRDSFullAccess in the AWS Console.
Once connected, data classification in the data store runs via Snapshot, which appears on the Data Store Inventory page as a small layered square note icon to the right of the hyperlinked data store name. You can later edit the data store and turn off Snapshots, at which point a Service Account will be required to authenticate the data store.
Using a Netskope One DSPM Service Account
Authenticating the data store via service account requires additional configuration steps within AWS and may involve additional administrative support, as outlined below. Service account authentication enables access to all supported capabilities within Netskope One DSPM.
Excerpt: PostgreSQL: Create Service Account
Begin by configuring a PostgreSQL service account, which will be dedicated to Netskope One DSPM’s use. There are two approaches you can use for configuring this service account:
| User Type | Benefits | Drawbacks |
|---|---|---|
| Super User (Netskope One DSPM-recommended) | Can automatically access new schemas and databases as they are created. | Some customers are not comfortable with granting super user access. |
| Non-Super User | Useful for customers who wish to grant Netskope One DSPM access to only the data within scanning scope. | Must be explicitly granted access to new schemas and databases. |
Super User (Netskope One DSPM-recommended)
- As an administrator, log into your PostgreSQL database's shell using these AWS instructions.
- Create the Netskope One DSPM-specific PostgreSQL user by executing the following commands in order, depending on the user type you wish to create:
| Command | Outcome | Notes |
|---|---|---|
|
Creates the Netskope One DSPM-specific user. | Substitute dasera_user and dasera_password with your own preferred values. |
|
Grants to the Netskope One DSPM-specific user the required permissions which power capabilities within the Netskope One DSPM platform. | Substitute dasera_user with your own preferred values. |
Non-Super User
- As an administrator, log into your PostgreSQL database's shell using these AWS instructions.
- Create the Netskope One DSPM-specific PostgreSQL user by executing the following commands in order, depending on the user type you wish to create:
| Command | Outcome | Notes |
|---|---|---|
|
Creates the Netskope One DSPM-specific user. | Substitute dasera_user and dasera_password with your own preferred values. |
|
Grants to the Netskope One DSPM-specific user the required permissions which power capabilities within the Netskope One DSPM platform. |
Substitute dasera_user with your own preferred values. This command must be run for each schema or database you wish Netskope One DSPM to scan. |
|
Lets the Netskope One DSPM-specific user access any new tables added in the future, for schemas and databases they can access. | Substitute dasera_user with your own preferred values. This command must be run for each schema or database you wish Netskope One DSPM to scan. |
Configure Query Logging
Excerpt: PostgreSQL: AWS: Configure Query Logging
Netskope One DSPM’s Data-In-Use-Monitoring capability requires access to query logging. If you wish to leverage this capability, you must configure your PostgreSQL database to begin generating such logs. This includes configuring parameters and establishing a log retrieval function.
Please follow the steps below to define these configurations.
Set Query Logging Parameters
- Click this link to log into your AWS RDS Console, which will navigate you to the RDS service.
- Under Amazon RDS in the left-hand menu, navigate to Parameter groups.
- Select an existing parameter group for your PostgreSQL database. If one does not exist, create a new one using these AWS instructions.
- On the next screen, click the Edit parameters button.
- Using the search box, find the following parameter keys and set the corresponding values:
| Parameter Key | Parameter Value |
|---|---|
| log_statement | all |
| log_min_duration_statement | 0 |
| log_rotation_age | Any value between 60 to 1440 (minutes) |
| log_destination | csvlog |
| logging_collector | 1 |
| log_filename | postgresql.log.%Y-%m-%d-%H |
| log_retention_period | 4320 |
Create a Log Retrieval Function
The following steps may require the assistance of your local database administrator.
- Download the latest (master) Amazon RDS / Aurora Logging function script from the aws-samples GitHub repository.
- As an administrator, log into your PostgreSQL database's shell as an administrator using these AWS instructions.
- Run the downloaded script within your shell to create the necessary logging function. Once run successfully you should be able to see the following five functions created in the logs schema
To validate call the new function once by executing select public.load_postgres_log_files().This should result in loading the query logs into the postgres_logs table. You can also run select * from logs.postgres_logs to check the query log output.
Retrieve Connection Information
Excerpt: PostgreSQL: AWS: Retrieve Connection Information
Netskope One DSPM will require information about your data store in order to communicate with your PostgreSQL database. Please follow the steps below to identify the connection values for later use within Netskope One DSPM.
- Click this link to log into your AWS RDS Console, which will navigate you to the RDS service.
- Under Amazon RDS in the left-hand menu, navigate to Databases.
- For the database you wish Netskope One DSPM to scan, click its link in the DB Identifier column. For Aurora PostgreSQL, be sure to choose a database with Role = "Writer Instance" (instead of "Regional cluster")
- In the Connectivity & security section, make note of the following values:
| Highlight Color | Corresponding Netskope One DSPM Value | Example |
|---|---|---|
| Blue (Endpoint) | Data Store Endpoint |  |
| Grey (Port) | Data Store Endpoint |  |
Connect Your Data Store
Before attempting to connect an AWS Data Store, be sure you have configured a Netskope One DSPM-specific AWS Service Account and onboarded the AWS Infrastructure for this Data Store. For details, please visit our Introduction to onboarding AWS Accounts article.
Excerpt: Connect Your Data Store 1
Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento
- Log into the Netskope One DSPM platform.
- Navigate to Data Stores → Data Store Inventory.
- Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
- Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.
- The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
- Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
- On the PROVIDE CREDENTIALS tab, complete the following fields:
| Field | Value |
|---|---|
| Select AWS Account | Select one of the AWS Accounts defined within the Infrastructure Section screen. The field will default if there is just one AWS Account configured |
| Data Store Identifier | Provide a friendly name to describe this Data Store. Your value is displayed in other Netskope One DSPM screens such as Policy Management and Classification Management. |
| Data Store Endpoint |
Enter the corresponding value from the Retrieve Connection Information step above, plus the port number and database name. For example, for a Public IP address like 1.2.3.4 and database named "example_db", you would enter 1.2.3.4:5432/example_db. 5432 is default PostgreSQL port number. If you are using a custom port number, be sure to substitute it here. |
| Database Username (if Service Account) | Enter the corresponding value from the Using a Netskope One DSPM Service Account step above. |
| Password (if Service Account) | Enter the corresponding value from the Using a Netskope One DSPM Service Account step above. |
| Scan Frequency | Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override if (desired). |
| Sidecar Pool | Excerpt: Connect Your Data Store: Credentials: Sidecar PoolIf you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool. To learn more, please visit our Sidecar Administration article. |
Excerpt: Connect Your Data Store 2
Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP
- Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
- Complete the following fields:
- Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
- Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
- Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
| Feature | Supported for AWS Aurora PostgreSQL via Service Account | Supported for AWS Aurora PostgreSQL via Snapshots |
|---|---|---|
| Discovery | Yes (always-on) | Yes |
| Privilege Analysis | Yes | No |
| Shadow Data Analysis | No | No |
| Classification | Yes | Yes |
| Data In Use Monitoring |
Yes Query logging must be configured for this before enabling this capability. See the Configure Query Logging section above. |
No |
| Automation | Yes (always-on) | Yes |
Excerpt: Connect Your Data Store 3
Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab
- Click the SAVE button, which will navigate you to the next tab.
- On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
- Click the SAVE button to finalize your connection.