Exclude Amazon S3 Buckets from Scans

Learn how Prisma SaaS enables you to create a custom list of S3 buckets to exclude archived data from asset scans.
Prisma SaaS enables you to exclude specific S3 buckets from scans to meet your organization’s compliance needs. Sometimes organizations designate specific S3 buckets to store data that is not in use before that data moves to
cold
storage (for example, Amazon Glacier). If you have compliance reporting demands when such data is accessed, you can omit that data from scans.
Prisma SaaS has two exclusion lists:
  • Default exclusion list
    —S3 buckets that Prisma SaaS automatically excludes from scans. CloudTrail logging enables the Amazon S3 app to log management and data events to the CloudTrail buckets. Prisma SaaS depends on CloudTrail to determine if S3 buckets change. Your log events do not display as assets in Prisma SaaS web interface because Prisma SaaS automatically adds your CloudTrail buckets to
    Buckets Ignored by Prisma SaaS
    .
  • Custom exclusion list
    —S3 buckets that you manually exclude from scans. If you specify
    All
    S3 buckets during single account or multiple accounts onboarding, you have the option to add a custom list of S3 buckets for exclusion.
In order for Prisma SaaS to enforce your custom exclusion list, you must add the bucket names after you onboard the Amazon S3 app—but
before
you start scanning. Otherwise, absent any bucket names, Prisma SaaS scans
All
S3 buckets, then displays those unwanted assets in the Prisma SaaS web interface. If you add the bucket names
after
the scan begins, Prisma SaaS stops scanning those buckets moving forward, but those unwanted assets remain in Prisma SaaS. To remove those assets, you must delete the Amazon S3 app and repeat the onboarding process. Similarly, you can delete a bucket name from exclusion, but previously discovered assets remain unless you delete the cloud app.
  1. Log in to Prisma SaaS.
  2. Select
    Settings
    Cloud Apps & Scan Settings
    .
  3. Click on the
    Amazon S3
    app that you added.
  4. Specify a comma-separated list of bucket names in
    Custom List of Buckets to Exclude
    , then
    Add
    .
    amazon-s3-ignore-buckets.png
  5. Next Step
    : Start scanning, when you’re ready for Prisma SaaS to discover your assets.

Recommended For You