Navigate Leaky S3 Buckets with Maps
Let’s face it - visualizing and understanding your AWS estate without the right tools is tedious. However, rather than just being an operational annoyance, this tedium is also dangerous. Difficulty comprehending the true state of AWS security frequently leads teams to inadvertently exposing sensitive data. Take, for example, a recent leak of over 50,000 medical records, which were stored on two publicly accessible AWS S3 buckets without password protection or authentication. Unfortunately, instances like these, where seemingly obvious security mistakes cause massive data breaches, are all too common.
As the growth rate for corporate data breaches continues to trend upward, a recent Plaintalk episode (~10 minutes), with Open Raven’s co-founders Dave and Mark, explains why it’s more critical than ever to secure your AWS assets. As Dave and Mark explain, the key message is that sensitive data can no longer rest in obscurity. That’s why we’ve designed Open Raven’s Maps — to give you the ability to visualize and protect even the largest cloud environments, so leaks are plugged for good.
Google Maps, for your data
Open Raven’s Maps feature has one purpose: to quickly and easily find answers to common but historically tough questions. Our intuitive and interactive 3D map lets you immediately focus on what matters and prevent issues before they become problems. In a few clicks, you can find misconfigured assets across your entire cloud infrastructure.
You can discover traffic flow as defined by security group rules and even identify VPC peering connections that shouldn't exist.
Although AWS automatically blocks public access to buckets by default, it’s the complexity in configuring the sharing of those buckets that creates room for accidental exposure. As shown in the screenshot below, buckets are designed to have fine sharing capabilities. However, it is precisely these options that can lead to security threats.
Fortunately, it is this understanding that led to Open Raven designing a map allowing admins to visualize open S3 buckets with a single click.
The “Security Configurations” filters highlight those buckets which are publicly accessible (as demonstrated in the top left side of the screenshot). Clicking on individual buckets in the map will also show additional helpful information like the bucket’s name, account ID, whether or not it is encrypted, backed up and more.
Automate Business Rules for S3 Buckets
After identifying and resolving your misconfigured S3 buckets, an important question remains: how do you ensure that such misconfigurations never happen again?
Open Raven helps answer that question by giving you an easy way to configure policies on specific assets.
For example, in the screenshot below, you'll find that we have created an asset group for sensitive S3 buckets in the us-east-1 region. The asset group is simply a way for you to organize groups with specific criteria.
Next, you can create rules defining the asset configuration you want to enforce. Rules are written using SQL, for easy modification and creation. Below you will see that Open Raven provides over one hundred rules out of the box to get you started.
A set of these rules are then used to create policies that are applied to asset groups. Just like rules, Open Raven also provides several pre-configured policies to get you up and running quickly. In the screenshot below, you will find an AWS Security Configuration policy that’s applied to the asset group we created earlier.
The rules, which you can see selected on the right side of the screenshot above, enforce a specific configuration for security groups, multi-factor authentication, and public access.
Lastly, you define how to monitor and receive alerts for violations on the policies you create. Open Raven provides several integrations that automatically route violations as they occur. Violations can be routed to your email or sent to a Slack channel, your favorite Webhook, or the AWS Eventbridge event bus. Below you'll find a screenshot of Open Raven’s sample violations daily digest email.