Create the Scan

Objective: Create an On-Demand DLP Scan

At this point, you’ve created three data classifications (based on regular expressions) and some simple policies that use them. Now it’s time to apply all of your policies to the S3 buckets in your AWS account using an On-Demand Scan.

Tasks

Create a Scan

  1. From the main menu bar, select Policy then On-Demand Scan. DLP Policy List DLP Policy List
  2. Using the Actions drop-down menu, select Create a Scan.
  3. From the General Info screen, select the DLP & Malware scan type.
  4. Provide a name for the scan, such as “RegEx DLP Scan”.
  5. Under the Service Instance dropdown, select the AWS account you configured earlier.
  6. For Service Type, select Storage (S3).
  7. For Hosted, select Cloud (via API). DLP Scan Configuration DLP Scan Configuration
  8. Click Next.

Add All of Your RegEx Policies to the Scan

  1. From the Select Policies page, select all three DLP policies you created earlier (which implement your RegEx classifications). Add RegEx Policies Add RegEx Policies
  2. Click Next.

Configure the Scan

  1. From the Data Scope section, select the Full option and All dates.
  2. In the Buckets section, select the Exclude CloudTrail Buckets option (if available) and set Buckets to Scan to All Buckets.
  3. In the Accounts section, set Accounts to Scan to All Accounts. Configure Scan Configure Scan
  4. Click Next.

(Don’t) Schedule the Scan

  1. Since we are in a lab environment and want to run this scan manually, set the Frequency to None (On-Demand Only).
  2. Click Next.

Review Your Scan Settings

Ensure that your scan settings are similar to those below and click Save. Review Scan Settings Review Scan Settings