Data Loss Prevention (DLP) for AWS Storage

Identify and Protect PII at Scale

Automate sensitive data discovery, classification, and protection. Reduce development time and maintenance. Easily scale to meet usage requirements regardless of the number of AWS accounts or buckets you have.

Man working on computer

Challenges We Help Solve


Visibility at Scale

You're unsure what sensitive data exists and where it exists. We provide insight into what restricted, sensitive and public data you have and where it resides.

Identify and protect hundreds of sensitive data types across over 25 regional localizations in all AWS accounts and regions with automated DLP at petabyte scale.


Control at Scale

Ensure proper management of sensitive data access. We assist in placing restricted, sensitive, and public data in appropriate locations with the correct permissions.

Our automated processes identify permissions policies and assess bucket attributes like accessibility and encryption status.


Operational Efficiency

As data volumes grow, supporting compliance and security mandates can become pricey, complicated and unwieldy.

Improve operational efficiencies by reducing costs by upwards of 40% for DLP services*.

Pictures of DLP solution summary stacked over each other.

DLP Made Easy

DLP in the cloud can be complicated, but our solution is packed with user-friendly features that save you time, money, and potential headaches.

Use Cases


Proactively Manage Data Security & Privacy Practices

We provide you with the intel needed to:

Monitor where sensitive data resides


Shape and ensure appropriate security controls including access and encryption


Respond quickly via alerts when sensitive data is found or at risk


Establish & Maintain Regulatory Compliance

We provide you with the intel needed to:

Know if you have data governed by HIPAA, PCI-DSS, GDPR and more


Determine what data is business critical vs what data can be archived or eliminated


Respond to customer deletion requests


Ace audits via discovery logs and proof of data residency


Filter Data During Migrations & When It's Ingested

We provide you with the intel needed to:

Determine what sensitive data is on hand and if it is needed


Decide where data should ultimately be stored


Set security controls


Scale DLP and reduce risks

Know Your Data Inside & Out

Streamline discovery, enhance security, and ensure compliance with automated precision.

Computer showing DLP schedule

Quick & Easy Setup

Get started in under 15 minutes

A straightforward subscription process in AWS Marketplace, streamlined deployment via an AWS CloudFormation template, and an AWS Fargate Container means you are up and running in about 15 minutes. From there all it takes is a few clicks to initiate a scan that will autodetect all Amazon S3 buckets across all accounts and regions to classify and protect data.

Computer showing classification schedule

Straightforward Classification and Protection

Customize scan type, location and frequency with ease

Process new or existing files on demand or on a schedule - we provide you with the flexibility to determine how to scan your data to allow you to meet compliance or infrastructure efficiencies and cost optimization goals. When you create your classification schedule, you choose which buckets to scan and which matching rule sets to apply.

Device - Macbook Pro (2)

Answer Security Questions with Confidence

Robust reporting comes standard

Once a scan is complete, a report of the files containing sensitive data is generated allowing you to see the type of data each file contains as well as the bucket and account in which it resides. Whether the file has been cleaned and moved or deleted, our reporting tells you if the file still exists and needs to be dealt with. A per-bucket configuration overview is available via a bucket settings report.



The solution is container-based and utilizes an AWS Fargate task to host the console and execute scans. Findings are written to Amazon DynamoDB and Amazon CloudWatch.

Architecture Overview

Frequently Asked Questions


Is this a SaaS Solution?down-arrow

No. DLP for Amazon S3 & EC2 is a cloud-based in-tenant solution. This means that it's installed directly into your AWS account and data never leaves that account, further supporting security and performance.

What comprises your classification engine?down-arrow

DLP for Amazon S3 & EC2 is powered by the Sophos Antivirus Dynamic Interface engine, which identifies hundreds of sensitive data types across more than 25 regional localizations.

How do I access the product?down-arrow

DLP for Amazon S3 & EC2 is is procured in AWS Marketplace, which means it has been rigorously vetted as secure and reliable.


Plus, AWS Marketplace provides centralized controls that allow you to manage your subscription, renewals, and consumption in one place.

What AWS services do you integrate with?down-arrow

Amazon Simple Notification Service (Amazon SNS) is used for alerts and integrates with your existing notification systems (eg., Slack and email). Learn more about our Proactive Notifications.

Findings can be published to AWS Security Hub. Learn more about sending classification result findings to AWS Security Hub.


Amazon CloudWatch is leveraged for audit logging in order to track who did what in the console.

Website_Freetrial_CTA_Graphic (2)

Get Started with a Free Trial Today

Classify unlimited data for 90 days


*For illustrative purposes. Based on an AWS account with 15 Amazon S3 buckets and 100 GB of standard storage data that was scanned for sensitive data. Does not account for Amazon S3 or infrastructure costs.