Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Step 1 - Launch and sign into the Management Console
  • Sign into the Management Console
  • Step 2 - Enable Scanning and/or Classification
  • Enable API Scanning for Antivirus for Amazon S3 (optional)
  1. Getting Started

How to Configure

Once you've deployed Amazon S3 and/or Data Classification for Amazon S3 you can start to configure your settings through the management console.

PreviousAWS Transfer FamilyNextConsole Overview

Last updated 1 year ago

As we saw in the previous steps, we have made some configuration decisions already such as networking and container and queue sizing. The remaining configuration revolves around enabling scanning on your preferred buckets. We've made this simple for you. Now that we have subscribed to and deployed, let's jump into the Console to start scanning your buckets.

It may take a few minutes for DNS to propagate the URL of your management console. If you are unable to load the URL provided in the email/CloudFormation Outputs then wait a few minutes. If it continues to be an issue, check the to see if it is another issue or .

The email with the login credentials arrives in your inbox even before the CloudFormation deployment completes. Please wait until you see the stack creation process complete to access the console.

Step 1 - Launch and sign into the Management Console

Open your browser of choice (Chrome, Firefox, Edge, Safari, etc.) and navigate to the access URL you retrieved in the . You will be taken to the Console Login page as seen below.

During deployment, you were sent an email with information on how to sign in to the console. This email contains the current access URL as well. You can simply click that to launch the console.

Each additional user created through the console will also receive a similar email.

Sign into the Management Console

As seen above, an email is sent to you to provide your User Name and Temporary Password. Place the username and temporary password into the appropriate fields and click Log in.

The first thing you must do is replace the temporary password by creating a new password for your user.

Clicking Change Password will save your new password and pass you through to the console dashboard.

You must have at least one internal user setup and usable to enable the SSO users (one time) within the console.

Step 2 - Enable Scanning and/or Classification

Once you've signed in for the first time after deploying either of our products you'll notice the top information banner indicating the following:

The information banner has 5 steps to get you started. All 5 steps have links to useful spots in the documentation to quickly get you started. The second will also direct you to the Bucket Protection page under Configuration where you will be able to enable your first bucket for scanning. Click the Switch to the Protected Buckets page link to enable your first Amazon S3 Bucket.

You could also have selected Bucket Protection from the left navigation.

Displayed to you are all of the buckets within your AWS account. It is quite easy to enable scanning for a bucket, simply select one or multiple checkboxes (or leverage Select Visible to select all currently shown) for the buckets you wish to protect and select Turn On Selected from the Actions drop-down button at the top of the bucket list. To get started pick a bucket in the same region as your console and turn it on. This will enabled the bucket for new object, event-based scanning.

Info

There are 3 types of protection we will be getting into more detail as we go. But, those 3 types are: event-based (this is real-time protection), schedule-based (protection on a schedule) and on-demand protection. As stated above, you enabled the event-based real-time protection with what you just did above.

You will also be prompted to scan the existing objects in the bucket(s). You have the choice to skip this by clicking the Don't Scan button or follow the instructions to select some or all of the buckets you had turned on to scan the existing objects as well.

Clicking Don't Scan will not turn off event based scanning for those buckets you turned on. It will only skip the scanning of existing objects.

Enabling a bucket(s) will automatically deploy the Agent Scanner in the region the bucket is located. If you selected buckets from multiple regions, you will get an Agent Scanner in each.

You may see rows with a yellow, red or purple background color (you should not see purple on your initial installation) to them. Yellow and red colors (as seen above) indicate there could be a conflict with activating event-based scanning for those particular buckets and you may have to take additional steps to enable scanning.

Which Resources do I Protect?

Protect them all! As simple as that sounds, you can decide which resources you do and don't want to protect. All resources with any public aspects to them should be scanned. Any resources you share with others (public or not) should generally be scanned as you want to ensure what is shared is clean. No matter whether you choose to enable all or a subset it is easy and you can feel comfortable your files will be clean. Resources that may be written by trusted programs like CloudTrail may not need to be scanned, but can be if regulations require you to.

Enabling Buckets in Other Regions

This solution is designed to scan all of your buckets, whether in one or multiple regions. If you select buckets in regions other than the console for the first time, you will be prompted to select a VPC and Subnet(s) for that region. Because we'll be deploying the Agent Scanner container to that region you must identify the networking for it to run on.

Selecting a bucket in a different region prompts you as follows:

Select the VPC and Subnet(s). You will be presented with VPC and Subnet selections for each new region you are enabling buckets in. Click Save and Close.

The information banner has 5 steps to get you started. All 5 steps have links to useful spots in the documentation to quickly get you started. The second will also direct you to the Schedules where you will be able to create and execute your first schedule for classification scanning.

You could also have selected Schedules from the left navigation.

Initially displayed to you is the blank Schedules page as none are created by default. It is quite easy to create a schedule, simply click the Create Schedule button and follow the wizard. Creating a schedule includes three tasks: select which buckets to scan, the rules to check against and the timing to run. For this first schedule, pick buckets within the same region of the deployment.

Creating a Classification Schedule

Step 1: Select Buckets

Step 2: Select Rules

Step 3: Select Run Time

Step 4: Activate Schedule

To complete the process you must activate the schedule:

You can choose to execute the first pass of the schedule now if desired.

That's it!

Which Resources should I Classify?

Claissfy them all for sensitive data! As simple as that sounds, you can decide which resources you do and don't want to classify. You may already know which resources are leveraged in your workflows that could ingest sensitive data. You may be unaware of how and where that data has moved as individuals are processing it. All buckets with any public aspects to them should be scanned to ensure you are not leaking sensitive data. Any buckets you share with others (public or not) should generally be scanned as you want to ensure what is shared is clean and safe to share. No matter whether you choose to enable all or a subset it is easy and you can feel comfortable your files will be identified. Buckets that may be written by trusted programs like CloudTrail may not need to be scanned, but can be if regulations require you to.

Classifying Resources in Other Regions

This solution is designed to scan all of your buckets, whether in one or multiple regions. If you select buckets in regions other than the console for the first time, you will be prompted to select a VPC and Subnet(s) for that region. Because we'll be deploying the Classification Scanner container close to the data in that region you must identify the networking for it to run on.

Selecting a bucket in a different region prompts you as follows:

Select the VPC and Subnet(s). You will be presented with VPC and Subnet selections for each new region you are enabling buckets in. Click Save and Close.

We now show Public / Private next to each VPC to indicate whether or not the VPC is tied to an Internet Gateway and therefor likely to have an outbound path. We also show Public / Restricted next to each Subnet to indicate whether each Subnet appears to have outbound routing.

Some regions only support Fargate in some of the Availability Zones. Regions ap-south-1 and ca-central-1 have limited AZs. If you get a message saying the container task cannot start up due to capacity or a Fargate instance isn't available, that could indicate you have found another AZ not supported. Switch which AZ the Fargate Service is pointing at and you should be fixed.

Enable API Scanning for Antivirus for Amazon S3 (optional)

API-based scanning is an alternative option where you can leverage an API to perform file scanning. It is not directly S3-integrated as Step 2 provides, but API scanning is very useful in many workflows where you want the file scanned before it is written to is destination.

We'll get into about what you see here, but for now just know this is the overall status view into your environment.

You can leverage SSO with our solution. Check out the which discusses it.

That's it! Once you are to this point, you should see a green shield () in the row for any bucket you "turned on" above.

about scanning existing objects will be covered.

Notice the Account identifier shows as Primary. This represents the default account you deployed the solution in. If you for cross-account scanning, you will see a different identifier for those buckets that come from other accounts.

For information on how to resolve conflicted buckets, please read the section.

"Conflicted" buckets have no barrier for scan existing object scans. Since scan existing crawls the objects (read more ) and is not triggered by events, there are absolutely no conflicts. Scan existing away!

We'll get into more details regarding creating and managing schedules on the

The VPC and Subnets you choose must have an outbound path to reach Amazon ECR. If not, the agents will . As discussed in the troubleshooting topic, you can do with outbound access to the internet or through VPC Endpoints that give you access to ECR and API.

You can get more information at this page. * You'll notice ap-south-1 is called out, but ca-central-1 is not although we found the same issue in both regions.

Read more about .

greater details
link accounts
Trouble Shooting
Scheduled Scans page
never boot properly
AWS Fargate
console access troubleshooting
Contact Us
Steps to Deploy section
Management Console Sign In
Invite Email
Change Password
Antivirus for Amazon S3 Console Dashboard
Data Classification for Amazon S3 Console Dashboard
Schedules Page
Create Schedule step 1
Select VPC and Subnets
here
API Based Scanning
More details
SSO FAQ
green shield