Netskope Help

What Triggers a Scan and Billing of AWS S3?

Data Protection for Public Cloud is billed against the number of bytes scanned by Netskope's DLP and/or Malware services. For AWS S3, a scan is triggered in the following scenarios:

  • Uploading/reuploading a file using AWS CLI, AWS console or API calls such as, PostObject, RestoreObject, PutObject, PutObjectAcl, CopyObject, CreateMultipartUpload, UploadPart, UploadPartCopy, and CompleteMultipartUpload programmatically to an S3 bucket that has policies configured for DLP and/or Malware scan.

  • Renaming a file using AWS CLI, or AWS console in an S3 bucket that has policies configured for DLP and/or Malware scan.

In the above cases, a scan occurs irrespective of whether the file/object has changed or not. There is no other case when a scan is performed.

Cases where a scan is not performed include:

  • Changing object metadata like tags or access control policies.

  • Deleting an object from S3.

  • Reading objects using AWS CLI, AWS console or API calls such as GetObject.

  • Uploading/reuploading a file using AWS CLI, AWS console or API calls to an S3 bucket that does not have policies configured for DLP and/or Malware scan.