See what sensitive data lives in your Amazon S3 buckets

Generate a free report of the sensitive data (like PII, PHI, and credentials) that's in your Amazon S3 files and folders.
Your organization can store high volumes of business-critical information in S3. This includes PII, credit card information, credentials, and more. This can pose security risk like data leakage and compliance risks around PCI, HIPAA, and more.
With our Amazon S3 scanner, scan your Amazon S3 buckets for sensitive data, using Nightfall's proprietary detection engine. This app is powered by the Nightfall Developer Platform.
Get Started — or — Read our FAQs

Get started in 5 minutes

Step 1: Connect to S3
AWS Access Key ID

Required. Create access keys in the IAM console in the AWS Management Console. We recommend that you create and use IAM access keys specific to this service instead of AWS root account access keys. At minimum, the IAM role will need the following permissions: s3:GetObject, s3:ListAllMyBuckets, s3:ListBucket. Find detailed instructions on creating an IAM user here.

AWS Secret Access Key

Required. You'll find this along with your Access Key ID above.

AWS Region

Required. Specify the region you'd like to scan.

Buckets to Exclude

Optional. By default, Nightfall will scan all buckets in the specified region that the credentials above can access. Specify any buckets by name that you would like to exclude from the scan. One per line.

Step 2: Your Email

You'll receive your scan results here as a CSV attachment.

Step 3: Configure Detection

This step is optional, but highly recommended. If you leave it blank, Nightfall will use a default detection rule, scanning for likely Credit Card Numbers, US Social Security Numbers, and API Keys. Setting your own detection rule will allow you to leverage the full power of Nightfall's best-in-class detection engine. Customize your detection settings with our pre-built detectors (spanning PII, PHI, PCI, and much more), custom detectors, exclusion/context rules, and more. Sign up for a Nightfall Developer Platform account here if you don't have one.

Nightfall API Key

Create an API key on your Nightfall Dashboard. If you don't have an account, sign up.

Detection Rules

Your Detection Rules specify what you want Nightfall to detect, e.g. credit card numbers. Create a Detection Rule on your Nightfall Dashboard and copy over its UUID. Specify up to 10 Detection Rules, one per line.

Is this a test scan?

By submitting this form, you agree to our Terms & Conditions and Privacy Policy.


Nightfall is the industry's first cloud-native data protection platform. Nightfall uses machine learning to discover, classify, and protect sensitive data like PII, PHI, and credentials. Nightfall integrates natively with cloud apps like Slack, GitHub, Google Drive, Confluence, and Jira, as well as provides a set of APIs for embedding best-in-class content inspection technology anywhere.

The Nightfall Developer Platform is a set of APIs developers can use to build data classification and protection into any application or service. This utility is powered by the Developer Platform. It's free to get started with the Developer Platform. Sign up or read the API Docs.

The report is sent via email as a CSV export. The report shows exactly what types of sensitive data are found and where in your S3 instance, so you can easily track it down. The fields include the item type (e.g. File), S3 ID, S3 permalink, the Detector (e.g. Credit Card Number), detection confidence (e.g. Very Likely), the character locations of the sensitive data, and more. The email will also contain a high level summary of the scan.

No, Nightfall does not retain your data. That is why this service sends results to you as a CSV attachment via email instead of a hosted dashboard. Once this email is sent to you, there is no retention on Nightfall's end about your S3 instance.

Without inputting your own Nightfall API key, this free utility will have the following limitations: up to 500 items (e.g. files) or 500 MB of data will be scanned, and the first 100 sensitive findings will be outputted in the report.

These limitations don't apply if you input your own Nightfall API key, so we highly recommend doing so. In other words, with your own API key, you'll be able to run a complete scan. You can create an API key on your Nightfall Dashboard.

If you don't have an account to create an API key, you can sign up for the Nightfall Developer Platform for free (no credit card required). Learn more about the Developer Platform in the API Docs.

Pricing for the Developer Platform is based on the amount of data scanned by Nightfall. The Free plan (default) provides 3 GB of data scanned per month for free. From there you can choose to upgrade to the Usage plan to pay as you go, which starts at $3 per GB scanned and scales down with volume. Please see the Pricing page in the API Docs for more details.

The max size for individual files for this scanner is 20 MB. The service may filter high volumes of noise in the event that your detection rules may benefit from further tuning, and scans may terminate early if they are generating a very high volume of results, so that you can fine tune your detection rules prior to re-running the scan and consuming data volume. Similarly, results may be truncated to respect the max file size of email attachments and so files are openable.

Please email us or schedule a meeting if you have any questions.