DSPM creates transitory scanner instances in the respective regions to perform data scanning on different data stores such as storage, compute, and databases. The orchestrator instance creates the scanner instances with a unique identity. Zscaler's applications are installed in these scanner instances to perform data scanning. For each data store, DSPM creates up to a maximum of 10 scanner instances each with configuration of 16 vCPU and 32 GiB memory, depending upon the number of data stores that must be scanned.

You need to ensure that sufficient vCPU quotas are enabled in the orchestrator account. Such high configurations are required as DSPM scans huge amounts of data, and a high configuration of scanner instances ensures data scans are completed faster than the lower configuration instances that take a longer duration to perform a data scan. The scanner instance automatically pushes the data scan results to DSPM.

All scanner instances are created with tags and the tags should not be deleted or tampered with. The image required to launch the scanner instance is property of Zscaler and it is shared with the customer’s orchestrator account for data scanning purposes. Inbound access to scanner instances is restricted only from the orchestrator instance.

The following tags are added to the scanner instances. You can enable these tags in AWS to track the cost allocation for DSPM. To learn more, refer to the AWS documentation.

• z-dspm-resource = true
• z-dspm-scanner-resource= true
• z-dspm-tenant-id = <tenant_id>
• z-dspm-tenant-name = <tenant_name>
• z-dspm-scan-id = <scan_id>