Netskope Global Technical Success (GTS)

Use Case - Allow AWS Management Console access - Corporate Instances

Netskope Cloud Version - 121

Objective

Allow access only to corporate instances when accessing AWS Management Console

Prerequisite

Netskope CASB Inline license is required

Context

The customer wants to ensure that only corporate users can access the AWS Management Console.

Configuration

There are two ways to achieve this use case:

1. Method 1: Using App Instance ID
2. Method 2: Using User Constraint

Method 1 - Using App Instance ID: 

• Step 1: Instance Tagging

You can refer to this document for detailed instructions on how to tag application instances: https://community.netskope.com/real-time-protection-key-policies-72/how-to-tag-application-instances-6275?tid=6275&fid=72

Path - Netskope Tenant UI >>> Policies >>> Profiles - - - App Instance >>> New Custom App Instance >>> New App Instance

Note - Netskope enables administrators to name application instances using Application Events.

• Step 2: Real-time policies

First, create a policy allowing access to your corporate instance:

Then create a second policy blocking “Login Successful” activity for Amazon Web Services Console app:

Please, make sure your policies are as follows:

• Step 3: Test your configuration by trying to log in to the AWS management console using your corporate credentials, and you should be able to do it. Then try to log in using different credentials, and you should be blocked.

Method 2 - Using User Constraint:

There is another way to apply the use case, which is through the use of User Constraint. 

To create the user constraint please go to Policies >>>  Profiles >>>  Constraint >>>  Users and create a new one. 

For the use case to apply only to allow corporate accounts, use the following configuration (please change the netskope domain with your corporate domain).

After this, assign the user constraint to a single policy blocking access. This will ensure that only accounts that are corporate can log into the AWS console.

• Policy Configuration:

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.