Skip to content

How to Configure the Console

As we saw in the previous steps, we have made some configuration decisions already such as networking and container and queue sizing. The remaining configuration revolves around enabling scanning on your preferred buckets. We've made this really simple for you. Now that we have subscribed to and deployed Data Classification for Amazon S3, let's jump into the Console to start scanning your buckets for sensitive data.


It may take a few minutes for DNS to propagate. If you are unable to load the URL provided in the email (and/or CloudFormation Outputs) then wait a few minutes. If it continues to be an issue, check the console access trouble shooting to see if it is another issue.

The email with the login credentials arrives in your inbox even before the CloudFormation deployment completes. Please wait until you see the stack creation process complete to access the console.

Step 1 - Launch the Console

Open your modern browser of choice (chrome, firefox, edge, safari) and place the access URL you retrieved in the previous step into the address bar and hit Enter. You will be taken to the Console Login page as seen below.

Console Login


During deployment, you were sent an email with information on how to sign in to the console. This email contains the current access URL as well. You can simply click that to launch the console. AWS-CF-StackOutputs-dc Console Login

Each additional user created through the console will also receive a similar email.

Sign in to the Console

As seen above, an email is sent to you to provide your User Name and Temporary Password. Place the username and temporary password into the appropriate fields and click Log in.

First thing you must do is replace the temporary password. Create a new password for your user. Console Reset PW

Clicking Change Password will save your new password and redirect you back to the Login page. Once you've logged in again, you will be redirected to the Console landing page.

Console Dashboard

We'll get into greater details about what you see here, but just know this is the overall status view into your environment.

Single Sign-On

You can leverage SSO with our solution. Check out the SSO FAQ which discusses it.


You must have at least one internal user setup and usable to enable the SSO users (one time) within the console.

Step 2 - Setup Scanning: Create Schedule

Notice the top information banner indicating:

Landing Page

The information banner has 5 steps to get you started. All 5 steps have links to useful spots in the documentation to quickly get you started. The second will also direct you to the Schedules where you will be able to create and execute your first schedule for classification scanning.


You could also have selected Schedules from the left navigation.

Schedules Page: Schedules

Initially displayed to you is the blank Schedules page as none are created by default. It is quite easy to create a schedule, simply click the Create Schedule button and follow the wizard. Creating a schedule includes three tasks: select which buckets to scan, the rules to check against and the timing to run. For this first schedule, pick buckets within the same region of the deployment.

Create Schedule step 1

Create Schedule step 2

Create Schedule step 3

To complete the process you must activate the schedule: activate schedule

You can choose to execute the first pass of the schedule now if desired. Schedule run now


We'll get into more details regarding creating and managing schedules on the Scheduled Scans page

That's it!

Which Buckets should I scan?

Scan them all for sensitive data! As simple as that sounds, you can decide which buckets you do and don't want to protect. You may already know which buckets are leveraged in your workflows that could ingest sensitive data. You may be unaware of how and where that data has moved as individuals are processing it. All buckets with any public aspects to them should be scanned to ensure you are not leaking sensitive data. Any buckets you share with others (public or not) should generally be scanned as you want to ensure what is shared is clean and safe to share. No matter whether you choose to enable all or a subset it is easy and you can feel comfortable your files will be identified. Buckets that may be written by trusted programs like CloudTrail may not need to be scanned, but can be if regulations require you to.

Scanning Buckets in Other Regions

This solution is designed to scan all of your buckets, whether in one or multiple regions. If you select buckets in regions other than the console for the first time, you will be prompted to select a VPC and Subnet(s) for that region. Because we'll be deploying the Classification Scanner container close to the data in that region you must identify the networking for it to run on.

Selecting a bucket in a different region prompts you as follows:

Select VPC modal

Select the VPC and Subnet(s). You will be presented with VPC and Subnet selections for each new region you are enabling buckets in. Click Save and Close


The VPC and Subnets you choose must have an outbound path to reach Amazon ECR. If not, the agents will never boot properly. As discussed in the troubleshooting topic, you can do with outbound access to the internet or through VPC Endpoints that give you access to ECR and API.

We now show Public / Private next to each VPC to indicate whether or not the VPC is tied to an Internet Gateway and therefor likely to have an outbound path. We also show Public / Restricted next to each Subnet to indicate whether each Subnet appears to have outbound routing.

Some regions only support Fargate in some of the Availability Zones. Regions ap-south-1 and ca-central-1 have limited AZs. If you get a message saying the container task cannot start up due to capacity or a Fargate instance isn't available, that could indicate you have found another AZ not supported. Switch which AZ the Fargate Service is pointing at and you should be fixed.

You can get more information at this AWS Fargate page. * You'll notice ap-south-1 is called out, but ca-central-1 is not although we found the same issue in both regions.

Last update: May 19, 2022