You can configure certain Configuration Policies to automatically trigger an On-Demand Scan for publicly vulnerable resources violations in both AWS and Azure. It is critical to scan publicly vulnerable resources for confidential data. You can send results of the On-Demand Scan to anyone in your organization.
You can configure automatic scans for the following policies:
- AWS Unrestricted Access to S3 Bucket
- AWS World Readable S3 Buckets
- AWS Publicly Writable S3 Buckets
- Azure World Readable Azure Blob Storage Containers
To configure automatic scanning:
- Go to Policy > Configuration Audit.
- To the right of the policy you'd like to configure, select Actions > Edit.
- In the Review and Activate screen, under Responses, select Edit.
- To add another Response to the policy, click +.
- Select Scan Unsecured Resources. This adds the response action to run an On-Demand Scan whenever a violation of the policy occurs.
- Click Select Policy. This displays a list of existing On-Demand Scans.
- Apply the response to the desired policy then select Done.
- Verify that the desired policy is listed as shown then select Next.
- From the following screen, verify the response then select Done.