Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Data Security Posture Management (DSPM)

Written by
Updated at October 13, 2025

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Data Security Posture Management, or DSPM, helps quickly detect sensitive information stored in Yandex Object Storage buckets for timely actions to protect it from unauthorized access or leaks, such as configuring access policies, anonymizing data, etc.

Scanning for sensitive information

DSPM scans data sources for sensitive information in buckets. You can run a scan once or on a schedule.

To run scans for sensitive information, use a service account.

To create a scan, the user must have the dspm.editor role for the folder specified in the Security Deck settings as the default storage as well as the iam.serviceAccounts.user role for the service account that will run the scan.

Warning

To run the scan, make sure the service account is assigned the dspm.worker role for all buckets you want to scan. If the buckets are encrypted, your service account also needs the kms.keys.decrypter role for the relevant Yandex Key Management Service encryption keys.

Before you start scanning, select a data source and specify the data categories to search for.

Data source

A data source contains information about the resources to scan, i.e., buckets, folders, and clouds, as well as additional settings.

When you add folders and clouds to a data source, all buckets in the selected clouds and/or folders will be scanned. In this case, DSPM will scan both the buckets that already exist in these clouds and folders and any other buckets added to them by the time the scan is run.

You can set the following scan scopes for a data source:

  • All files: To scan all files saved in the buckets.

  • DOC/TXT: To scan .doc, .docx, and .txt text files.

  • XLS/CSV: To scan .xls, .xlsx, and .csv spreadsheet files.

  • PPT: To scan .ppt and .pptx presentation files.

  • PDF: To scan .pdf document files.

  • HTML/XML: To scan .html and .xml files.

  • Images: To scan .jpg, .jpeg, .png, .gif, .webp, and .svg image files.

  • Custom filter: To scan all files whose names do or do not match the specified patterns:

    • File name contains: To scan files whose names match the specified pattern.
    • File name does not contain: To ignore files whose names match the specified pattern.

    Specify the patterns using the RE2 regular expression syntax. You can specify patterns in both fields, in which case the scan will use the AND logic to select files.

You can select multiple filters at the same time; the system will use the OR logic to apply them.

You can add multiple buckets, folders, and/or clouds as well as create multiple resource groups with different scan scope settings in a single data source at once. You can also add a bucket to multiple data sources with different scan scope settings at the same time.

Data categories

When setting up a new scan, you can specify the category of data to search for. You can select all the available categories at once or any combination of them.

Data categories available for scanning:

  • Financial data: Credit or debit card details.
  • Personal data: Full names, email addresses, phone numbers, and social security numbers (SNILS).
  • Secrets: Cloud access keys, passwords, tokens, SSH keys, etc.

To create data sources, set up and run scans, and view scan results, the user must have the appropriate roles.

See also

Previous
Yandex Cloud Detection and Response (YCDR)
Next
Kubernetes® Security Posture Management (KSPM)