SaaS Security Administrator's Guide
    : Exclude Amazon S3 Buckets from Scans
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Add Cloud Apps to Data Security
    7. Begin Scanning an Amazon S3 App
    8. Exclude Amazon S3 Buckets from Scans
    Download PDF

    SaaS Security Administrator's Guide

    Exclude Amazon S3 Buckets from Scans

    Table of Contents

    Exclude Amazon S3 Buckets from Scans

    Learn how Data Security enables you to create a custom list of S3 buckets to exclude archived data from asset scans.
    Data Security enables you to exclude specific S3 buckets from scans to meet your organization’s compliance needs. Sometimes organizations designate specific S3 buckets to store data that is not in use before that data moves to cold storage (for example, Amazon Glacier). If you have compliance reporting demands when such data is accessed, you can omit that data from scans.
    Data Security has two exclusion lists:
    • Default exclusion list—S3 buckets that Data Security automatically excludes from scans. CloudTrail logging enables the Amazon S3 to log management and data events to the CloudTrail buckets. Data Security depends on the CloudTrail to identify changes in the S3 account and buckets. Your log events do not display as assets in the Data Security web interface because the bucket that you specify in CloudTrail Bucket Name or Primary CloudTrail Bucket Name during onboarding will not be scanned. These bucket names display in the SaaS Security web interface under Buckets Ignored.
    • Custom exclusion list—S3 buckets that you manually exclude from scans. If you specify All S3 buckets during single account or multiple accounts onboarding, you have the option to add a custom list of S3 buckets for exclusion.
    In order for Data Security to enforce your custom exclusion list, you must add the bucket names after you onboard the Amazon S3 app—but before you start scanning. Otherwise, absent any bucket names, Data Security scans All S3 buckets, then displays those unwanted assets in the SaaS Security web interface. If you add the bucket names after the scan begins, Data Security stops scanning those buckets moving forward, but those unwanted assets remain in Data Security. To remove those assets, you must delete the Amazon S3 app and repeat the onboarding process. Similarly, you can delete a bucket name from exclusion, but previously discovered assets remain unless you delete the cloud app.
    1. Log in to SaaS Security
    2. Select SettingsCloud Apps & Scan Settings.
    3. Click on the Amazon S3 app that you added.
    4. Specify a comma-separated list of bucket names in Custom List of Buckets to Exclude, then Add.
    5. Next Step: Start scanning, when you’re ready for Data Security to discover your assets.

    © 2025 Palo Alto Networks, Inc. All rights reserved.