Data Loss Prevention (DLP) for Amazon S3 & EC2

Gain visibility and protect data at scale.

Scan unlimited data for 90 days with a free trial in AWS Marketplace

Start Your Trial
Get a Demo

Built to simplify data protection in a complex environment. 

Data Loss Prevention (DLP) for Amazon S3 & EC2 by Cloud Storage Security automates sensitive data discovery, classification, and protection, reduces development time and maintenance, and scales easily to meet your usage requirements regardless of the number of AWS accounts or buckets you have. 

Know your data inside and out.

Automatically assess and protect structured and unstructured data. Eliminate leaky buckets and locate regulated data to prevent compliance violations. The extensive knowledge you gain from our reports extends the expertise of your team by giving you the answers to critical questions such as "What type of data do we have?", "Where is the data being stored?", and "Is it publicly accessible? Is it encrypted?".

CSS - Working on computer

Challenges We Help Solve


 

DC for S3 - Visibility at Scale

Visibility at Scale

You're unsure what sensitive data exists and where it exists.  We provide insight into what restricted, sensitive and public data you have and where it resides. 

Identify and protect hundreds of sensitive data types across 11 regional localizations in all AWS accounts and regions with automated data classification at petabyte scale. 

CSS - Control at Scale

Control at Scale

You're unsure whether access to sensitive data is being appropriately managed. We help you ensure restricted, sensitive and public data are in the right locations with appropriate permissions. 

Automated permissions policy identification plus configuration assessments that identify bucket attributes such as whether a bucket is publicly accessible or encrypted.

DC for S3 - Operational Efficiency

Operational Efficiency

As data volumes grow, supporting compliance and security mandates can become pricey, complicated and unwieldy. Improve operational efficiencies by reducing costs by upwards of 40% for DLP services.*

Use Cases


 

Proactively Manage Data Security & Privacy Practices

We provide you with the intel needed to:

  • Monitor where sensitive data resides
  • Shape and ensure appropriate security controls including access and encryption
  • Respond quickly via alerts when sensitive data is found or at risk

Establish & Maintain Regulatory Compliance 

We provide you with the intel needed to:

  • Know if you have data governed by HIPAA, PCI-DSS, GDPR and more
  • Monitor where sensitive data resides
  • Determine what data is business critical vs what data can be archived or eliminated
  • Respond to customer deletion requests
  • Ace audits via discovery logs, proof of data residency 

Filter Data During Migrations & When It's Ingested

Discover and protect sensitive data at scale during cloud migrations and as part of automated data pipelines to reduce the risk of ingesting and making accessible sensitive data when it’s not necessary. 

We provide you with the intel needed to:

  • Determine what sensitive data is on hand and if it is needed
  • Decide where data should ultimately be stored
  • Set security controls 

Data Loss Prevention (DLP) for Amazon S3 & EC2


 

Scheduled scans - select the buckets to include

Scheduled scans - select the buckets to include

Quick & Easy Setup

Try out DLP for Amazon S3 & EC2 with a straightforward subscription process in AWS Marketplace. A streamlined deployment via an AWS CloudFormation template and an AWS Fargate Container means you are up and running in about 15 minutes. From there all it takes is a few clicks to initiate a  scan that will autodetect all Amazon S3 buckets across all accounts and regions to classify data a petabyte scale.

Getting Started >>

Straightforward Classification and Protection

Process new or existing files on demand or on a schedule - we provide you with flexibility to determine how to scan your data to meet compliance or infrastructure efficiencies and cost optimizations. When you create your classification schedule, you choose which buckets to scan and which matching rule sets to apply. 

Scheduled Scans >> 

Scheduled scans - select matching rules

Scheduled scans - select matching rules

CSS - DC for S3 Dashboard

The main dashboard - the window into your classifying status

Answer Security Questions with Confidence

Once a scan is complete, a report of the files containing sensitive data is generated allowing you to see the type of data each file contains as well as the bucket and account in which it resides. Whether the file has been cleaned and moved or deleted, our reporting tells you if the file still exists and needs to be dealt with. A per-bucket configuration overview is available via a bucket settings report. 

Assess data risk and prioritize vulnerability management by cross referencing classification and bucket protection findings to determine whether a bucket containing sensitive data is exposed. 

Console Overview >> 

Single Region Architecture

Data Classification Single-Region Architecture

 

Multi-region and multi-account architecture

Pricing


 

 

Unit Type

Cost / GB

Pay As You Go Pricing

 

Free Trial 

$0

Minimum Monthly Subscription - includes 100 GB

$49.00

Scan 101 - 500 GB per month

$0.40

Scan 501 - 1,500 GB per month

$0.35

Scan 1501 - 3,000 GB per month

$0.30

Scan >=3,001 GB per month

$0.25

Scan pre-existing objects

$0

Infrastructure Requirements: AWS Fargate is required. For detailed infrastructure costs, please refer to Amazon Fargate pricing.

 

Optimize Your Budget

  • Use of DLP for Amazon S3 & EC2 can reduce costs for DLP by 40% or more* 

  • You are only charged the first time you classify a file. Repeat classifications of a file, even with new matching rules, are not charged.

  • Try out our solution and scan unlimited data for 90 days, completely free! All we ask is that you share feedback with us during your usage. Contact us to get started!

  • Oftentimes it's less expensive to subscribe to a solution as opposed to building and maintain a system yourself

FAQs


 

No. DLP for Amazon S3 & EC2 is a cloud-based in-tenant solution.  This means it's installed into your AWS account and data never leaves your AWS account, which further supports security and performance. 

DLP for Amazon S3 & EC2 is powered by the Sophos Antivirus Dynamic Interface engine, which identifies hundreds of sensitive data types across 11 regional localizations. 

DLP for Amazon S3 & EC2 is procured in AWS Marketplace, which means it has been rigorously vetted and validated as secure and reliable.

Plus, AWS Marketplace provides centralized controls that allow you to manage your subscription, renewals, and consumption in one place. 

Get started in AWS Marketplace today.

Amazon Simple Notification Service (SNS) is used for alerts and integrates with your existing notification systems (e.g., Slack and email). Learn more about our Proactive Notifications.

Findings can be published to AWS Security Hub. Learn more about sending classification result findings to AWS Security Hub.

Amazon CloudWatch is leveraged for audit logging in order to track who did what in the console.

data classification

Know what data you're responsible for

Get Started with a Free Trial Today

Classify unlimited data for 90 days

Start Your Trial
AWS-Marketplace_logos_Attribution_Available-in-Marketplace_RGB

*For illustrative purposes. Based on an AWS account with 15 Amazon S3 buckets and 100 GB of standard storage data that was scanned for sensitive data. Does not account for Amazon S3 or infrastructure costs.