Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    Connecting to AWS Redshift Data Stores

    Table of Contents

    Overview Retrieve Connection Information Create a Netskope One DSPM Service Account Using IAM as Authentication Method Connect Your Data Store

    Overview

    Netskope One DSPM supports scanning AWS Redshift data stores. Follow these instructions to setup AWS Redshift and configure its connection to Netskope One DSPM.

    Retrieve Connection Information

    Netskope One DSPM will require information about your data store in order to communicate with Redshift. Please follow the steps below to identify the connection values for later use within Netskope One DSPM.

    1. Click this link to log into your AWS Console, which will navigate you to the Redshift service.
    2. Click Clusters in the left-hand menu.
    3. In the displayed list of clusters, navigate to the Redshift cluster you wish to later connect.
    4. In the General information section, make note of the following values:
    Highlighted Value Example
    Endpoint
    Port
    Database

    Create a Netskope One DSPM Service Account

    Excerpt: PostgreSQL/Redshift: Create Service Account: Script 1

    A service account within the database is required for connecting your data store with the Netskope One DSPM application.  Netskope One DSPM provides a Python script which both creates the service account and assigns the necessary non-super user permissions.

    Prerequisites

    • You have database administrator access for the data store.
    • The following are locally-installed:
    • Redshift only: you have validated your setup & AWS environment connectivity using the aws configure command.

    Run Script

    1. Open the command line interface (CLI).
    2. Run the following command to download the script:
    wget https://dasera-release.s3.us-west-2.amazonaws.com/redshift_setup.py

    Excerpt: PostgreSQL/Redshift: Create Service Account: Script 2

    1. If necessary, navigate to the directory where the script was downloaded.
    2. Run the script.
    3. When prompted, enter the following parameters:
    Parameter Value
    Endpoint Enter the corresponding value from the Retrieve Connection Information step above.
    Database Enter the corresponding value from the Retrieve Connection Information step above.
    Port

    Enter the corresponding value from the Retrieve Connection Information step above.

    5439 is default Redshift port number. If you are using a custom port number, be sure to substitute it here.

     
    Username Username of the database administrator running this script
    Password Password of the database administrator running this script
    Username to create for Netskope One DSPM user Provide the Database name for which you want to create the Netskope One DSPM DB user. dasera_user is recommended, but you can use any value.
    Password Password for the Netskope One DSPM DB user

    Excerpt: PostgreSQL/Redshift: Create Service Account: Script 3

    When the script is complete, the following message (or similar) will be displayed:

    Created user dasera_user with global select access

    Using IAM as Authentication Method

    For Netskope One DSPM to authenticate via IAM, you’ll need to give Netskope One DSPM the following AWS permission:

    {
  "Action": "redshift:GetClusterCredentials",
  "Resource": [
    "arn:aws:redshift:<region>:<account>:dbuser:<cluster>/<username>",
    "arn:aws:redshift:<region>:<account>:dbname:<cluster>/<database>"
  ]
}

    Where  <username> is the Redshift User (database username) you created above.

    The redshift:GetClusterCredentials permission allows the Netskope One DSPM instance to authenticate as the Redshift User you just created, forgoing the need to provide the user’s password to Netskope One DSPM

    Note you must specify both a dbuser and dbname resource, and the dbname resource identifiers must cover every database you wish Dasera to scan. As an alternative to listing each database explicitly, you can use wildcards. In the example above, if the 2nd resource is replaced with:

    "arn:aws:redshift:<region>:<account>:dbname:<cluster>/*

    Netskope One DSPM will be able to connect (as  <username>) to all databases in the specified cluster.  Similarly:

    "arn:aws:redshift:<region>:<account>:dbname:*/*"

    This will allow Netskope One DSPM to connect to all clusters and databases in the given region (provided the database user  <username> exists in each cluster).

    If you have Redshift clusters in different regions (but the same AWS account), you will need a unique dbuser and dbname resource lines per unique combination of  <region>, e.g.

    {
  "Action": "redshift:GetClusterCredentials",
  "Resource": [
    "arn:aws:redshift:<region1>:<account>:dbuser:<cluster>/<username>",
    "arn:aws:redshift:<region1>:<account>:dbname:*/*",
    "arn:aws:redshift:<region2>:<account>:dbuser:<cluster>/<username>",
    "arn:aws:redshift:<region2>:<account>:dbname:*/*"
  ]
}

    If the Netskope One DSPM instance is going to be installed in an AWS account that is different from the account(s) running the Redshift cluster(s), IAM is not currently supported. The Dasera instance will need to authenticate via password (see below).

     

    Connect Your Data Store

    Before attempting to connect an AWS Data Store, be sure you have configured a Netskope One DSPM-specific AWS Service Account and onboarded the AWS Infrastructure for this Data Store. For details, please visit our Introduction to onboarding AWS Accounts article.

    Excerpt: Connect Your Data Store 1

    1. Log into the Netskope One DSPM platform.
    2. Navigate to Data Stores → Data Store Inventory.
    3. Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
    4. Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.

    1. The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
    2. Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
    3. On the PROVIDE CREDENTIALS tab, complete the following fields:
    Field Value
    Select AWS Account Select one of the AWS Accounts defined within the Infrastructure Section screen. The field will default if there is just one AWS Account configured.
    Data Store Identifier Provide a friendly name to describe this Data Store. Your value is displayed in other Netskope One DSPM screens such as Policy Management and Classification Management.
    Data Store Endpoint

    Enter the corresponding value from the Retrieve Connection Information step above, plus the port number and database name.

    For example, for a Public IP address like 1.2.3.4 and database named "example_db", you would enter 1.2.3.4:5439/example_db.

    5439 is default Redshift port number. If you are using a custom port number, be sure to substitute it here.

     
    Database Username Enter the corresponding value from the Create a Netskope One DSPM Service Account step above.
    Authentication Method

    Select a type based on your available configurations:

    • AWS Identity Access Management (IAM) Role
    • Username / Password
    • AWS Secrets Manager
    • Self-Managed Secrets Manager
    Password Enter the corresponding value from the Create a Netskope One DSPM Service Account step above.
    Scan Frequency Controls how often your Data Store is reviewed for changes, Netskope One DSPM’s recommended frequency is defaulted, which you can override if (desired).
    Sidecar Pool

    Excerpt: Connect Your Data Store: Credentials: Sidecar Pool

    If you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool.

    To learn more, please visit our Sidecar Administration article.

    Excerpt: Connect Your Data Store 2

    1. Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
    2. Complete the following fields:
    • Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
    • Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
    • Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
    Feature Supported for this data store?
    Discovery Yes (always-on)
    Privileges Analysis Yes
    Shadow Data Analysis Yes
    Classification Yes
    Data In Use Monitoring Yes
    Automation Yes (always-on)

    Excerpt: Connect Your Data Store 3

    1. Click the SAVE button, which will navigate you to the next tab.
    2. On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
    3. Click the SAVE button to finalize your connection.

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support