Including and excluding vaults
You can set the vaults that you scan with various settings in the configuration file.
Use the following settings in the configuration file to scan the vaults:
include_all_vaults
(Boolean)exclude_vaults
(List)vaults
(Dictionary)
When include_all_vaults
is true, all vaults in the system are scanned except for
any vaults specified in the exclude_vaults
list.
You might consider exclude_vaults
a
list of vaults to
ignore and vaults
is a
list that specifies
details of individual vaults to be scanned.
If include_all_vaults
is true and the vaults list is populated, the list of
vaults that are scanned is the superset of all vaults that are returned by the Manager that are
merged with the vaults list from the config file.
An error is raised and the Scanner aborts on start-up if the same vault appears in both
vaults
and exclude_vaults
.
Mirror, Proxy, Data Migration
- Mirrored vaults
- Proxy vaults
- Vaults that are set up for migration
Any vaults of these types are ignored by the scanner and a warning logged in the debug log.
Examples for including and excluding vaults
To summarize the rules for including and excluding vaults, following are some examples:
- The system contains 1000 vaults.
- Five of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
- The scan includes all vaults except the management vaults.
"include_all_vaults": true,
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"]
- The system contains 1000 vaults.
- 5 of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
- The scan includes all vaults except the management vaults.
- The scan includes a filter for scanning a vault that is named vault-x.
- The scan includes only a scan of the objects whose key starts with production/finance.
"include_all_vaults": true,
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"],
"vaults": [
{"vault_name":"vault-x", "prefix":"production/finance"}
]
- The system contains 1000 vaults.
- 5 of the 1000 vaults are management vaults (named mgmt-1 to mgmt-5).
- The scan includes all vaults except the management vaults.
- The scan includes a filter for scanning a vault that is named vault-x.
- The scan includes only a scan of the objects whose key starts with production/finance or production/marketing.
"include_all_vaults": true,
"exclude-vaults": ["mgmt-1", "mgmt-2", "mgmt-3", "mgmt-4", "mgmt-5"],
"vaults": [
{"vault_name":"vault-x", "prefix":"production/finance"},
{"vault_name":"vault-x", "prefix":"production/marketing"}
]
- The system contains 1000 vaults.
- Run a test on three vaults named vault-a, vault-b, and versioned-vault-c.
- Run a scan on versioned-vault-c and issue LIST requests. Do not issue HEAD requests because the objects do not have custom amz headers.
"include_all_vaults": false,
"vaults": [
{"vault_name":"vault-a"
{"vault_name":"vault-b"
{"vault_name":"vault-c", "has_custom_metadata":false}
]