browse
As public cloud IaaS platforms like AWS and Azure continue to be widely adopted, customers increasingly seek comprehensive tools to safeguard their data.
With the introduction of these new connectors, our product now enables you to effectively scan for sensitive data exposure within their AWS S3 and Azure Storage environments.
The top use case involves discovering exposed credentials such as API keys, secrets, and tokens. Additionally, you can now identify sensitive data, including Personally Identifiable Information (PII), financial records, and healthcare information that may be inadvertently exposed to the public web.
What do we scan in AWS S3 and Azure File Storage?
In AWS S3, we provide both discovery of preexisting sensitive data and continuous monitoring for any addition of sensitive data. We incrementally scan all file updates and new files in the specific buckets that customers select in their DLP rule.
Similarly, in Azure File Storage, we also support both initial discovery and continuous monitoring. We incrementally scan all file updates and new files in the specific containers that can be selected in the DLP rule.
You have the flexibility to decide which AWS S3 buckets or Azure Containers you want to scan, allowing you to tailor the DLP capabilities to your specific needs and priorities.
Which response actions are supported for AWS and Azure?
Currently, monitoring is the supported response action for AWS and Azure. Due to the inherent risk of deleting or quarantining files in IaaS environments—which are typically mission-critical we do not support automatic remediation actions. This approach ensures that we avoid any inadvertent disruptions to essential services while still providing robust monitoring capabilities for sensitive data exposure.
How can I locate my AWS S3 buckets and Azure storage blobs to manually remediate the DLP violations?
To facilitate manual remediation of DLP violations, we have enhanced the DLP report with detailed information. The report now includes the resource name, which is the actual S3 bucket or blob name, allowing for quick searches in the AWS and Azure consoles.
Additionally, each DLP violation event's details contain the destination URL of the resource and, when available, the resource ID. This comprehensive information enables you to efficiently locate and address any DLP violations within your AWS S3 buckets and Azure storage blobs.
Where can I find more information?
Refer to Umbrella documentation for guidance.
Enable SaaS API Data Loss Protection for AWS Tenants
Enable SaaS API Data Loss Protection for Azure Tenants
Add a SaaS API Rule to the Data Loss Prevention Policy
Data Loss Prevention Report