January 11, 2022
J1 has updated how it determines the AWS S3 bucket policy status to better align with what is presented in the AWS console.
J1 has been using the get-bucket-policy-status API to retrieve the S3 bucket policy status for public and private settings. However, we have seen inconsistencies in this data when compared to the AWS console.
The AWS console generates data through the access analyzer and there is no public API that we can use to directly retrieve this data.
J1 has changed its logic so that it better aligns with the AWS console bucket access status. We believe this is a superior method for interpreting AWS bucket access.
With this change, JupiterOne now presents:
public: truewhen we definitively know that the S3 bucket is set to public per the bucket policy, ACLs, or the public block.
public: falsewhen we definitively know that the S3 bucket is not public per the bucket policy, a review of the ACLs, or the public block.
public: undefinedwhen cannot definivitely determine the bucket policy. This scenario happens when AWS access is presented as
Objects can be publicand we have no definitive evidence proving public true or false, OR we cannot connect to the AWS API to retrieve bucket access information.
Additionally, we are adding the
access property to present additional information when the status is not
public: true or
public: false. This property allows a user to determine if there is a permission issue with JupiterOne's access (we believe this will be an edge case, but is possible), or if AWS is presenting
Objects can be public. The
access property will be set to either
access = ‘Bucket and objects not public' or
access = 'Only authorized users of this account'.
While we believe this update presents a significant improvement in understanding your bucket access settings, if you notice inconsistencies in your data, please contact your customer success manager so that we can further tune and improve our logic.
Finally, the default behavior uses the account-level
publicAccessBlock to evaulate the access policy. Otherwise it evaluates based on the bucket-level
aws_s3_bucket.public property accurately reflects the public status of the bucket. The new
access property indicates the same text shown in the AWS console.
If you have configured J1 alerts to monitor
aws_s3_bucket.public, the alerts may be triggered next time you use the J1 AWS integration in cases where the value changes due to this improved analysis.
Going forward, the access properties on S3 buckets in J1 should more closely align with what the AWS console displays.