Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Create a DLP On-Demand Scan for AWS

On-Demand Scans provide Data Loss Prevention (DLP) protection to files stored in Amazon S3 Buckets. On-Demand Scans evaluate data protection policies for the content in S3 buckets, and support targeted investigations on data in S3.

For example, you could limit scans to new or updated files each time it performs a scan. On-Demand Scans provide a great deal of flexibility to inspect different aspects of your deployment.

NOTE: For Amazon S3 scans, the first time a scan is run, it uses Full mode. Subsequent scans always use Incremental mode. If new documents in a previously scanned S3 bucket are found during the scan, the scan continues as Incremental. If new S3 buckets are found during the scan, the new S3 buckets are scanned in Full mode. Subsequent scans of the new S3 buckets always use Incremental mode. For more information about Full and Incremental data scope, see About On-Demand Scans

AWS Charges Related to On-Demand Scans

Because Skyhigh CASB accesses data during a scan, API charges and data transfer charges are incurred. These costs include:

  • Data Transfer Pricing: $0.01/GB
  • S3 read charges via GET requests: $0.01/25,000 API calls

Learn more about charges here:

NOTE: You can restrict scans to skip larger files to avoid some costs.

Quarantine Behavior in AWS S3

The quarantine response action for AWS S3 buckets has the following specific behavior: 

  • Files are quarantined in a new quarantine bucket.
  • The new bucket is automatically created in the same AWS account. For example, if you have three AWS accounts, one quarantine bucket will be created in each account.

NOTE: The above Quarantine behavior is common for both NRT and ODS DLP or Malware Scan in AWS S3.

Create an On-Demand Scan for an S3 Bucket

  1. Go to Policy > On-Demand Scan.
  2. Click Actions > Create a Scan. The Scan Creation Wizard displays. 

  3. For Scan Type, choose Data Loss Prevention (DLP). If you would like to learn about Malware scans, see Create a Malware Scan.
  4. Enter a Name for the scan, and enter an optional Description.
  5. For Service Instance, select the Amazon S3 instance you want to scan. Click Next
  6. On the Select Policies page, select the available policies to use for your scan type. (Note: Only Active policies are listed here.) Click Next

  7. On the Configure Scan page, configure the scope of your scan. 
  • Data:
    • Data Scope
      • Full. Scans all content every time the scan is run.
      • Incremental. Scan only content that has changed since the last successful scan. 
      • Scan Dates. Select All, to scan all data. Or select Last X Days to limit the scan to the specified time period. 


  • Starting with the Skyhigh CASB 5.4.0 release onwards, to align IaaS DLP/Malware scan configurations with the SaaS DLP/Malware scan, per-scan settings options "File Size" and "Restrict File Type(s) to" are not available for the IaaS (Azure, AWS, and GCP) DLP Scans.
  • With this change, all new IaaS DLP/Malware scan honors the global scan settings by default.
  • The existing IaaS DLP/Malware scan honors the per-scan settings for the Skyhigh CASB 5.4.0 release only. If you want to retain the custom settings for specific IaaS scans, contact Skyhigh Security Support.
  • Buckets: 
    • Exclude CloudTrail Bucket. The Exclude CloudTrail Bucket checkbox is activated by default. Deactivate the checkbox to include the CloudTrail bucket in a scan. 
    • Buckets to Scan:
      • All Storage Buckets. Scan all storage accounts.
      • Include Specific Buckets. To include specific buckets for scan, manually enter them in a comma-separated list in the text box below. 
      • Exclude Specific Bucket. To exclude specific buckets for scan, manually enter them in a comma-separated list in the text box below. 
      • Use a Predefined Dictionary. Select a Predefined Dictionary from the menu. For more information, see this topic.
      • Manually enter Buckets. Enter the buckets you want to scan in the box below. 
  • Accounts:
    • Accounts to Scan
      • All Accounts. Scan all accounts. 
      • Include Specific Accounts. To include only specific accounts, select a Predefined Dictionary, or specify the users manually in a comma-separated list. 
      • Exclude Specific Accounts. To exclude only specific accounts, select a Predefined Dictionary, or specify the user manually in a comma-separated list. 

        After Include or Exclude has been selected, the following screen appears for subscriptions selection. Make the selection and click Done.

        AWS Subscriptions.png

NOTE: One or more AWS accounts can be scanned. If existing DLP scans are updated to include specific accounts, they continue to provide an incremental scan and will not revert to a full scan.

  1. Click Next
  2. On the Schedule Scan page, select the schedule to run your scan and click Next:
    • None (On-Demand Only). Run the scan once now.
    • Daily. Run the scan once a day. Configure the time and time zone. 
    • Weekly. Run the scan once a week. Configure the day, time, and time zone. 
  3. On the Review and Activate page, review your settings for the On-Demand Scan, and click Save. Click Back to make changes. 


Once a scan has completed, you can view the results, or rerun the scan again anytime on the Policy > On-Demand Scan page. 

View policy incident violations on the Policy Incidents page. 

  • Was this article helpful?