Data Classification for Amazon S3

Know what type of data exists and where it exists

Subscribe in AWS Marketplace to classify 500 GB for free

Start Your Trial
Get a Demo

Built to simplify data classification in a complex environment. 

Data Classification for Amazon S3 by Cloud Storage Security automates sensitive data discovery and classification, reduces development time and maintenance, and scales easily to meet your usage requirements regardless of the number of AWS accounts or buckets you have. 

Know your data inside and out.

Assess structured and unstructured data. Eliminate leaky buckets and locate regulated data to prevent compliance violations. The extensive knowledge you gain from our reports extends the expertise of your team by giving you the answers to critical questions such as "What type of data do we have?", "Where is the data being stored?", and "Is it publicly accessible? Is it encrypted?".

CSS - Working on computer

Challenges We Help Solve


DC for S3 - Visibility at Scale

Visibility at Scale

You're unsure what sensitive data exists and where it exists.  We provide insight into what restricted, sensitive and public data you have and where it resides. 

Identify hundreds of sensitive data types across 11 regional localizations in all AWS accounts and regions with automated data classification at petabyte scale. 

CSS - Control at Scale

Control at Scale

You're unsure whether access to sensitive data is being appropriately managed. We help you ensure restricted, sensitive and public data are in the right locations with appropriate permissions. 

Automated permissions policy identification plus configuration assessments that identify bucket attributes such as whether a bucket is publicly accessible or encrypted.

DC for S3 - Operational Efficiency

Operational Efficiency

As data volumes grow, supporting compliance and security mandates can become pricey, complicated and unwieldy. Improve operational efficiencies by reducing costs by upwards of 40% for data classification services.*

Use Cases


Proactively Manage Data Security & Privacy Practices

We provide you with the intel needed to:

  • Monitor where sensitive data resides
  • Shape and ensure appropriate security controls including access and encryption
  • Respond quickly via alerts when sensitive data is found or at risk

Establish & Maintain Regulatory Compliance 

We provide you with the intel needed to:

  • Know if you have data governed by HIPAA, PCI-DSS, GDPR and more
  • Monitor where sensitive data resides
  • Determine what data is business critical vs what data can be archived or eliminated
  • Respond to customer deletion requests
  • Ace audits via discovery logs, proof of data residency 

Filter Data During Migrations & When It's Ingested

Discover and classify sensitive data at scale during cloud migrations and as part of automated data pipelines to reduce the risk of ingesting and making accessible sensitive data when it’s not necessary. 

We provide you with the intel needed to:

  • Determine what sensitive data is on hand and if it is needed
  • Decide where data should ultimately be stored
  • Set security controls 

Data Classification for Amazon S3


Scheduled scans - select the buckets to include

Scheduled scans - select the buckets to include

Quick & Easy Setup

Try and buy Data Classification for Amazon S3 with a straightforward subscription process in AWS Marketplace. A streamlined deployment via an AWS CloudFormation template and an AWS Fargate Container means you are up and running in about 15 minutes. From there all it takes is a few clicks to initiate a data classification scan that will autodetect all Amazon S3 buckets across all accounts and regions to classify data a petabyte scale.

Getting Started >>

Straightforward Classification

Process new or existing files on demand or on a schedule - we provide you with flexibility to determine how to scan your data to meet compliance or infrastructure efficiencies and cost optimizations. When you create your classification schedule, you choose which buckets to scan and which matching rule sets to apply. 

Scheduled Scans >> 

Scheduled scans - select matching rules

Scheduled scans - select matching rules

CSS - DC for S3 Dashboard

The main dashboard - the window into your classifying status

Answer Security Questions with Confidence

Once a scan is complete, a report of the files containing sensitive data is generated allowing you to see the type of data each file contains as well as the bucket and account in which it resides. Whether the file has been cleaned and moved or deleted, our reporting tells you if the file still exists and needs to be dealt with. A per-bucket configuration overview is available via a bucket settings report. 

Assess data risk and prioritize vulnerability management by cross referencing classification and bucket protection findings to determine whether a bucket containing sensitive data is exposed. 

Console Overview >> 

Single Region Architecture

Data Classification Single-Region Architecture


Multi-region and multi-account architecture




Unit Type

Cost / GB

Pay As You Go Pricing


Free Trial 


Minimum Monthly Subscription - includes 100 GB


Scan 101 - 500 GB per month


Scan 501 - 1,500 GB per month


Scan 1501 - 3,000 GB per month


Scan >=3,001 GB per month


Scan pre-existing objects


Infrastructure Requirements: AWS Fargate is required. For detailed infrastructure costs, please refer to Amazon Fargate pricing.


Optimize Your Budget

  • Use of Data Classification for Amazon S3 can reduce costs for data classification services by 40% or more* 

  • You are only charged the first time you classify a file. Repeat classifications of a file, even with new matching rules, are not charged.

  • Only pay for what you use. We offer a consumption-based pricing model with a minimum monthly subscription fee of just $49 for the first 100 GB scanned and a per GB scanning charge thereafter. Interested in a private offer or custom pricing? Contact us.

  • Oftentimes it's less expensive to subscribe to a solution as opposed to building and maintain a system yourself



No. Data Classification for Amazon S3 is a cloud-based in-tenant solution.  This means it's installed into your AWS account and data never leaves your AWS account, which further supports security and performance. 

Data Classification for Amazon S3 is powered by the Sophos Antivirus Dynamic Interface engine, which identifies hundreds of sensitive data types across 11 regional localizations. 

Data Classification for Amazon S3 is procured in AWS Marketplace, which means it has been rigorously vetted and validated as secure and reliable.

Plus, AWS Marketplace provides centralized controls that allow you to manage your subscription, renewals, and consumption in one place. 

Get started in AWS Marketplace today.

Amazon Simple Notification Service (SNS) is used for alerts and integrates with your existing notification systems (e.g., Slack and email). Learn more about our Proactive Notifications.

Findings can be published to AWS Security Hub. Learn more about sending classification result findings to AWS Security Hub.

Amazon CloudWatch is leveraged for audit logging in order to track who did what in the console.

data classification

Know what data you're responsible for

Get Started with a Free Trial Today

Classify 500 GB in 30 days

Start Your Trial

*For illustrative purposes. Based on an AWS account with 15 Amazon S3 buckets and 100 GB of standard storage data that was scanned for sensitive data. Does not account for Amazon S3 or infrastructure costs.