open raven blog

Navigate Leaky S3 Buckets with Maps

Product
May 6, 2021

Let’s face it - visualizing and understanding your AWS estate without the right tools is tedious. However, rather than just being an operational annoyance, this tedium is also dangerous. Difficulty comprehending the true state of AWS security frequently leads teams to inadvertently exposing sensitive data. Take, for example, a recent leak of over 50,000 medical records, which were stored on two publicly accessible AWS S3 buckets without password protection or authentication. Unfortunately, instances like these, where seemingly obvious security mistakes cause massive data breaches, are all too common.

As the growth rate for corporate data breaches continues to trend upward, a recent Plaintalk episode (~10 minutes), with Open Raven’s co-founders Dave and Mark, explains why it’s more critical than ever to secure your AWS assets. As Dave and Mark explain, the key message is that sensitive data can no longer rest in obscurity. That’s why we’ve designed Open Raven’s Maps — to give you the ability to visualize and protect even the largest cloud environments, so leaks are plugged for good.

Google Maps, for your data

Open Raven’s Maps feature has one purpose: to quickly and easily find answers to common but historically tough questions. Our intuitive and interactive 3D map lets you immediately focus on what matters and prevent issues before they become problems. In a few clicks, you can find misconfigured assets across your entire cloud infrastructure.

Use over 100 combinations of asset and configuration filters to see what you want and need to see.

You can discover traffic flow as defined by security group rules and even identify VPC peering connections that shouldn't exist.

Easily view relevant security groups (left) or VPC connections (right).

Although AWS automatically blocks public access to buckets by default, it’s the complexity in configuring the sharing of those buckets that creates room for accidental exposure. As shown in the screenshot below, buckets are designed to have fine sharing capabilities. However, it is precisely these options that can lead to security threats.

Fortunately, it is this understanding that led to Open Raven designing a map allowing admins to visualize open S3 buckets with a single click. 

The “Security Configurations” filters highlight those buckets which are publicly accessible (as demonstrated in the top left side of the screenshot). Clicking on individual buckets in the map will also show additional helpful information like the bucket’s name, account ID, whether or not it is encrypted, backed up and more. 

Automate Business Rules for S3 Buckets

After identifying and resolving your misconfigured S3 buckets, an important question remains: how do you ensure that such misconfigurations never happen again?

Open Raven helps answer that question by giving you an easy way to configure policies on specific assets.

For example, in the screenshot below, you'll find that we have created an asset group for sensitive S3 buckets in the us-east-1 region. The asset group is simply a way for you to organize groups with specific criteria.

Next, you can create rules defining the asset configuration you want to enforce.  Rules are written using the OPA Policy Language, which uses the familiar Rego query language. Below you will see that Open Raven provides over a dozen rules out of the box to get you started.

This query language is easy to read and write. For example, you can create a rule that  automatically checks for public S3 buckets:


import data.helpers
public_bucket_rule {
        helpers.isS3Bucket
        helpers.isPublic
}

And a rule that checks for sensitive personal data in those buckets:

import data.helpers
public_bucket_sensitive_data = ret {
        helpers.isS3Bucket
        helpers.isPublic
        ret := helpers.hasDataFromCollection("Personal Data")
}

A set of these rules are then used to create policies that are applied to asset groups. Just like rules, Open Raven also provides several pre-configured policies to get you up and running quickly. In the screenshot below, you will find an AWS Security Configuration policy that’s applied to the asset group we created earlier.

The rules, which you can see selected on the right side of the screenshot above, enforce a specific configuration for security groups, multi-factor authentication, and public access.

Lastly, you define how to monitor and receive alerts for violations on the policies you create. Open Raven provides several integrations that automatically route violations as they occur. Violations can be routed to your email or sent to a Slack channel, your favorite webhook, or the AWS Eventbridge event bus. Below you'll find a screenshot of Open Raven’s sample violations daily digest email.


We’ve only scratched the surface with what’s possible in Open Raven. For more details, or even a demo that suits your needs, drop us a line at our contact page.

Subscribe to our newsletter

Monthly product and event updates

RSS Feed
More related content
author
Igor Shvartser
Back to the Blog