All Products
Search
Document Center

Data Security Center:Data scanning and identification

Last Updated:Jun 21, 2026

This topic answers frequently asked questions about sensitive data scanning and identification.

Does data scanning affect my database performance?

Data Security Center (DSC) uses full, incremental, and scheduled scans to examine your databases. A full scan has a minimal impact on your database performance and does not affect your normal business operations. An incremental scan processes only modified files and has a negligible impact on performance.

DSC performs a full scan on your assets only after you authorize them, manually trigger a rescan, or at the start of a configured full scan cycle. When data in your database changes, only the modified files or tables are scanned. To minimize the performance impact of scans on your database, you can configure the full scan cycle based on the following recommendations:

  • Extend the full scan cycle to reduce the performance impact of DSC scans.

  • Schedule scans to run during off-peak hours when database traffic is low.

What types of data assets does DSC support for scanning?

DSC can scan both structured and unstructured data. The supported data asset types are as follows:

  • Structured data: ApsaraDB RDS, PolarDB, PolarDB for Xscale (PolarDB-X), PolarDB-X 2.0, ApsaraDB for Redis, ApsaraDB for MongoDB, ApsaraDB for OceanBase, and self-managed databases.

  • Unstructured data: Object Storage Service (OSS) and Log Service (SLS).

  • Big data: Tablestore, MaxCompute, AnalyticDB, and AnalyticDB.

For more information, see Supported data asset types.

How long does a scan take to complete after a data asset is authorized?

After DSC is authorized to access a data asset, a scan starts within 2 hours. The scan duration depends on the amount of data to be scanned and is extended if you have a large number of data tables (for example, more than 10,000 tables) or a large volume of OSS files (for example, more than 1 PB). While DSC scans your data, partial results are displayed on the Overview page of the DSC console. For more information, see Data Security Center overview.

How does DSC scan unstructured data assets (OSS and SLS)?

DSC scans the content stored in unstructured data assets and identifies sensitive data based on the scan results.

Asset type

Scan scope

Scanned data object

OSS

  • Initial scan: After authorization, DSC performs a full scan of all objects in the authorized OSS bucket.

  • Incremental scan: If an object is added to or modified in the OSS bucket, DSC scans the new or modified object.

<OSS Bucket>/<Object Name>.

Each object is treated as a single data object for a scan task.

SLS

Each time a scan runs, it processes all data stored in the authorized asset from 00:00 to 24:00 on the day before yesterday.

If you need to scan more data in SLS, you can create a custom identification task and configure the scan scope. For more information, see Create a custom identification task.

<SLS Project>/<Logstore>/<Time Period>.

The data stored within each 5-minute period is treated as a single data object for a scan task.

DSC: What Are the Billing Rules for Scans of Unstructured Data Sources (OSS and SLS)?

DSC is a subscription-based service. Data identification scans consume your purchased resource quotas. The deduction rules vary by edition:

  • Enterprise Edition: Billing is based on the data protection volume. The consumed quota is calculated as: Size of authorized OSS buckets + (Size of authorized SLS projects × 0.5). The result is deducted from your storage protection capacity.

  • Value-added Service Plan: The data scanning and identification feature is not supported.

For more information, see Billing.

Rescanning OSS objects

If an object has not been modified, DSC does not rescan it. If an object is modified, DSC automatically rescans it within 24 hours.

If needed, you can also manually rescan an OSS asset. For more information, see Rescan an identification task.

How does DSC scan structured data, such as MaxCompute?

DSC scans field names and their values in databases and tables to identify sensitive data. For example, to evaluate age-related data, DSC analyzes both the column name and its values if the values alone are not conclusive.

  • Initial scan: After authorization, DSC performs a full scan of all tables in the entire database or data project.

  • Incremental scan: When a new table is added to a database or data project, DSC scans the new table. If the schema (columns) of an existing table changes, DSC also rescans that table.

Does DSC log in to the database to retrieve data?

With proper authorization, DSC logs in to your database and uses data sampling to identify sensitive data. DSC does not store any data from your MaxCompute projects or databases.

What scenarios trigger a rescan?

DSC automatically triggers a rescan of an authorized data asset in the following scenarios.

Scenario

Scan logic

Impact on billing

A data asset is authorized for the first time.

DSC performs a full scan on all data in the data asset.

You are billed for a full scan of all data in the data asset.

Data in an authorized data asset changes after an initial scan.

After the schema of a table in MaxCompute or a database changes (specifically, when a column is added or deleted), DSC automatically scans the modified columns. Changes to rows do not trigger an automatic scan.

You are billed for scanning the modified table.

An object is added to or modified in an OSS bucket.

Note

Deleting an object from an OSS bucket does not trigger an automatic scan.

You are billed only for scanning the new or modified object.

The configuration of sensitive data identification rules changes (for example, a rule is added, enabled, disabled, or deleted).

DSC automatically scans all data in all authorized data assets.

You are billed for a full scan of all authorized data assets.

Scanning encrypted data

Yes, if the data is encrypted by using transparent data encryption (TDE).

Performance impact of MongoDB scans

A full-collection scan has a minimal impact on your database performance and typically does not disrupt normal business operations.

To further reduce the performance impact of asset scans, you can increase the scan interval or schedule scans to run during off-peak hours when database traffic is low.

Scanning archives and documents in OSS

Yes. You can view the full list of supported OSS data types on the File Type tab of the Identification Rules page in the Data Security Center console.

DSC supports a wide range of file categories, including text files (109 types, such as .txt, .xml, and .vcf), office documents (144 types), image files (86 types), design documents (10 types), code files (91 types), binary files (23 types), data files (25 types), signature verification files (18 types), and archive files (50 types, such as .7z, .zip, .rar, and .tar).

Exporting identification results

Yes. For instructions, see View and export sensitive data identification results.

Field-level scan results for MongoDB

No. ApsaraDB for MongoDB is a document-oriented database where the smallest unit of storage is a document. Therefore, scan results cannot be narrowed down to a specific field.

Details in API query results

Yes.

API

Description

DescribeOssObjects

Returns the instance ID (InstanceId), bucket name (BucketName), object ID (FileId), and risk level ID (RiskLevelId) for an OSS object.

DescribeInstances

Returns the ID (Id) and name (Name) of a data asset instance.

DescribeTables

Returns table information (Items), including the table name (Name) and risk level ID (RiskLevelId).

DescribeDataObjectColumnDetailV2

Returns column information (Items) for a data table, including the column name (ColumnName) and risk level ID (RiskLevelId).

Sensitive data identification for Redis

No. Currently, DSC provides only the baseline check feature for ApsaraDB for Redis. For more information, see Security baseline checks.

Selecting the common identification template

You do not need to configure the common identification template separately. If an identification task uses a built-in template, the common template is used by default. For more information, see View and configure identification templates and Scan sensitive data by using an identification task.

Free edition tasks in waiting state

The free quota for data identification (5 GB of stored data and 100 database tables) is exhausted. As a result, the identification task cannot run and remains in the waiting state. To continue using the sensitive data identification feature, purchase a Data Security Center plan. For more information, see Purchase Data Security Center.

Full scan tasks reported as partial

  • Problem description: A scheduled scan task is configured to scan all data in a database instance, but the Last Scanned At column indicates that only some databases were scanned.

    On the Sensitive Data Identification page, you expand a MySQL instance that contains four databases. The Last Scanned At time is different for each database, with some being significantly older than others.

  • Cause: For a custom periodic identification task, the initial scan is a full scan based on the configured scope. However, subsequent scans process only incremental data within that scope.

  • Solution: If you need to update the identification rules or run a full scan, reconfigure the custom scan task.