Learn how SaaS Security API enables you to create a custom
list of S3 buckets to exclude archived data from asset scans.
SaaS Security API enables you to exclude specific
S3 buckets from scans to meet your organization’s compliance needs.
Sometimes organizations designate specific S3 buckets to store data
that is not in use before that data moves to cold storage
(for example, Amazon Glacier). If you have compliance reporting
demands when such data is accessed, you can omit that data from
SaaS Security API has two exclusion lists:
—S3 buckets that SaaS Security API automatically
excludes from scans. CloudTrail logging enables the Amazon S3 to
log management and data events to the CloudTrail buckets. SaaS Security
API depends on the CloudTrail to identify changes in the S3 account
and buckets. Your log events do not display as assets in the SaaS
Security API web interface because the bucket that you specify in
Primary CloudTrail Bucket
during onboarding will not be scanned. These bucket
names display in the SaaS Security web interface under
Custom exclusion list
—S3 buckets that you manually exclude
from scans. If you specify
order for SaaS Security API to enforce your custom exclusion list,
you must add the bucket names after you onboard the Amazon S3 app—but
you start scanning.
Otherwise, absent any bucket names, SaaS Security API scans
buckets, then displays those unwanted assets in the SaaS Security
web interface. If you add the bucket names
begins, SaaS Security API stops scanning those buckets moving forward,
but those unwanted assets remain in SaaS Security API. To remove
those assets, you must delete the Amazon S3 app and repeat the onboarding
process. Similarly, you can delete a bucket name from exclusion,
but previously discovered assets remain unless you delete the cloud app.
Log in to SaaS Security
Cloud Apps & Scan Settings
Click on the
Specify a comma-separated list of bucket names in
List of Buckets to Exclude
: Start scanning,
when you’re ready for SaaS Security API to discover your assets.