Skip to content

Workflow Expunge Policy

The policy removes sensitive data from resources based on the tags specified in the policy.


  • This policy accepts only newline-delimited JSON records format.

  • For nested files, the workflow expunge policy is not supported.

Supported Data Sources

The following data sources are supported for the Workflow Expunge policy:

  • AWS S3

Supported File Formats

For the supported file formats on which the policy can be applied, see Matrix for Supported File Formats.

The following fields are included in the Workflow Expunge policy:

  • Name: This field indicates the name of the Workflow Expunge policy.

  • Type: This field indicates type of policy.

    The Workflow Expunge Policy is not visible in the dropdown of policies by default. To configure it, see Workflow Expunge Policy Setup.

  • Alert Level: This field indicates the level of alert: High, Medium or Low.

  • Description: This field contains the description of the Workflow Expunge Policy.

  • Status: This field indicates the policy is enabled or disabled. It is enabled by default.

  • Application: This field specifies the data source from which the scanned resources can be accessed and where the Workflow Expunge policy will be applied.

  • Transfer Location: This field indicates the location where the input file is transferred if no tagged records match the tags specified in the policy.

  • Quarantine Location: This field specifies the location to which the input file is moved after the sensitive data is removed.

  • Archive Location (Optional): This field specifies the location where a copy of the original file is stored before any tagged records are removed from it.

  • Search for tags: The tags specified in this field help in identifying or classifying the data to be tagged and then expunged.

Add a Resource in the Data Zone

To add a resource in the data zone, refer to the Add Resources.

Now, when you run the scan on data zone, and if the policy condition met (matching sensitive tags, file size exceeds the maximum limit, or excluded data type), then the sensitive data is deleted from the file and is moved to the quarantine location if alert notification is issued. The non-sensitive data will be moved to transfer location.