Exclude Amazon S3 Buckets from Scans

Learn how SaaS Security API enables you to create a custom list of S3 buckets to exclude archived data from asset scans.
SaaS Security API enables you to exclude specific S3 buckets from scans to meet your organization’s compliance needs. Sometimes organizations designate specific S3 buckets to store data that is not in use before that data moves to cold storage (for example, Amazon Glacier). If you have compliance reporting demands when such data is accessed, you can omit that data from scans.
SaaS Security API has two exclusion lists:
  • Default exclusion list
    —S3 buckets that SaaS Security API automatically excludes from scans. CloudTrail logging enables the Amazon S3 to log management and data events to the CloudTrail buckets. SaaS Security API depends on the CloudTrail to identify changes in the S3 account and buckets. Your log events do not display as assets in the SaaS Security API web interface because the bucket that you specify in
    CloudTrail Bucket Name
    or
    Primary CloudTrail Bucket Name
    during onboarding will not be scanned. These bucket names display in the SaaS Security web interface under
    Buckets Ignored
    .
  • Custom exclusion list
    —S3 buckets that you manually exclude from scans. If you specify
    All
    S3 buckets during single account or multiple accounts onboarding, you have the option to add a custom list of S3 buckets for exclusion.
In order for SaaS Security API to enforce your custom exclusion list, you must add the bucket names after you onboard the Amazon S3 app—but
before
you start scanning. Otherwise, absent any bucket names, SaaS Security API scans
All
S3 buckets, then displays those unwanted assets in the SaaS Security web interface. If you add the bucket names
after
the scan begins, SaaS Security API stops scanning those buckets moving forward, but those unwanted assets remain in SaaS Security API. To remove those assets, you must delete the Amazon S3 app and repeat the onboarding process. Similarly, you can delete a bucket name from exclusion, but previously discovered assets remain unless you delete the cloud app.
  1. Log in to SaaS Security
  2. Select
    Settings
    Cloud Apps & Scan Settings
    .
  3. Click on the
    Amazon S3
    app that you added.
  4. Specify a comma-separated list of bucket names in
    Custom List of Buckets to Exclude
    , then
    Add
    .
  5. Next Step
    : Start scanning, when you’re ready for SaaS Security API to discover your assets.

Recommended For You