Welcome to the Netskope One DSPM Knowledge Base

You will find your answers here!

    Sorry, we didn't find any relevant articles for you.

    Send us your queries using the form below and we will get back to you with a solution.

    AWS Secrets Manager for Data Store Credentials

    Table of Contents

    Overview Create and store your AWS Secret Grant permission to your AWS IAM Policy Authenticate Data Store in Netskope One DSPM using your AWS Secret

    Overview

    Any of the following data store types that allow for Username and Password-based authentication can alternatively be authenticated using AWS Secrets Manager.

    AWS, Snowflake, Self-Managed Oracle, and Self-Managed MySQL

    This method offers an additional layer of security, as Service Account credentials are not stored within the Netskope One DSPM application and will be updated automatically according to the information within your AWS Secrets Manager. 

    This article will outline setup and usage of AWS Secrets Manager for Data Store authentication.  

    Note: The Create Netskope One DSPM Service Account and Retrieve Connection Information steps must be completed for each data store connection before proceeding with authentication.

     

    Create and store your AWS Secret

    1. From your AWS Console, navigate to AWS Secrets Manager.
    2. Click the Store a new secret button.
    3. Select the Secret type based on the type of database you're connecting with Netskope One DSPM
    4. Under Credentials, enter the User name and Password you created for Netskope One DSPM Service Account for the database you're connecting.
    5. Under Cluster, select the DB cluster you're connecting with Netskope One DSPM.
    6. Click Next.
    1. Enter a name for your secret that you will remember and indicates its use for Netskope One DSPM.
    2. Complete all remaining steps in the flow.
    3. Your newly created secret will appear at the top of the list of secrets.
    4. Click on the name of the secret in the top left, then make note of the Secret ARN value.
    Highlight Color Corresponding Netskope One DSPM Value Example
    Blue Secret ARN

    Grant permission to your AWS IAM Policy

    In order to use AWS Secrets Manager to authenticate data stores, you need to grant specific permission within your custom policy attached to the IAM Role for your Netskope One DSPM service account. 

    Within your custom policy, either via the Visual or JSON editor:

    1. Add the permission secretsmanager:GetSecretValue .
    2. Limit the permission to specific secret ARNs.

     

     Once saved and updated, the policy will look like this: 

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"sts:AssumeRole",
				"secretsmanager:GetSecretValue"
			],
			"Resource": [
				"arn:aws:secretsmanager:*:999973842021:secret:MAM_MySQL_56-q0qRsT",
				"arn:aws:iam::999973842021:role/Netskope One DSPMRole"
			]
		}
	]
} 2

    Authenticate Data Store in Netskope One DSPM using your AWS Secret

    1. Complete relevant first steps to connect your Data Store, including creating your Netskope One DSPM Service Account and Retrieving Connection information.
    2. In the Provide Credentials modal, create a Data Store Identifier and paste in the Endpoint value, as normal.
    3. Paste in the value retrieved in step 10 above in the Secret ARN field.
    4. Click Next
    5. Follow the prompts to finish connecting your Data Store. 

    Going forward, at each Data Store scan, the latest Username and Password are then retrieved from AWS Secrets via the Secret ARN (but never persisted within the Netskope One DSPM application).

    Was this article helpful?

    Still can't find what you are looking for?

    Contact Netskope Technical Support