: Exclude Amazon S3 Buckets from Scans
Focus
Focus

Exclude Amazon S3 Buckets from Scans

Table of Contents

Exclude Amazon S3 Buckets from Scans

Learn how
Data Security
enables you to create a custom list of S3 buckets to exclude archived data from asset scans.
Data Security
enables you to exclude specific S3 buckets from scans to meet your organization’s compliance needs. Sometimes organizations designate specific S3 buckets to store data that is not in use before that data moves to cold storage (for example, Amazon Glacier). If you have compliance reporting demands when such data is accessed, you can omit that data from scans.
Data Security
has two exclusion lists:
  • Default exclusion list
    —S3 buckets that
    Data Security
    automatically excludes from scans. CloudTrail logging enables the Amazon S3 to log management and data events to the CloudTrail buckets.
    Data Security
    depends on the CloudTrail to identify changes in the S3 account and buckets. Your log events do not display as assets in the
    Data Security
    web interface because the bucket that you specify in
    CloudTrail Bucket Name
    or
    Primary CloudTrail Bucket Name
    during onboarding will not be scanned. These bucket names display in the SaaS Security web interface under
    Buckets Ignored
    .
  • Custom exclusion list
    —S3 buckets that you manually exclude from scans. If you specify
    All
    S3 buckets during single account or multiple accounts onboarding, you have the option to add a custom list of S3 buckets for exclusion.
In order for
Data Security
to enforce your custom exclusion list, you must add the bucket names after you onboard the Amazon S3 app—but
before
you start scanning. Otherwise, absent any bucket names,
Data Security
scans
All
S3 buckets, then displays those unwanted assets in the SaaS Security web interface. If you add the bucket names
after
the scan begins,
Data Security
stops scanning those buckets moving forward, but those unwanted assets remain in
Data Security
. To remove those assets, you must delete the Amazon S3 app and repeat the onboarding process. Similarly, you can delete a bucket name from exclusion, but previously discovered assets remain unless you delete the cloud app.
  1. Log in to SaaS Security
  2. Select
    Settings
    Cloud Apps & Scan Settings
    .
  3. Click on the
    Amazon S3
    app that you added.
  4. Specify a comma-separated list of bucket names in
    Custom List of Buckets to Exclude
    , then
    Add
    .
  5. Next Step
    : Start scanning, when you’re ready for
    Data Security
    to discover your assets.

Recommended For You