Sections in this category

2022-JAN-12 Release

January 11, 2022

AWS Integration

Description

J1 has updated how it determines the AWS S3 bucket policy status to better align with what is presented in the AWS console.

Changes

J1 has been using the get-bucket-policy-status API to retrieve the S3 bucket policy status for public and private settings. However, we have seen inconsistencies in this data when compared to the AWS console.

The AWS console generates data through the access analyzer and there is no public API that we can use to directly retrieve this data.

J1 has changed its logic so that it better aligns with the AWS console bucket access status. We believe this is a superior method for interpreting AWS bucket access.

With this change, JupiterOne now presents:

  • public: true when we definitively know that the S3 bucket is set to public per the bucket policy, ACLs, or the public block.

  • public: false when we definitively know that the S3 bucket is not public per the bucket policy, a review of the ACLs, or the public block.

  • public: undefined when cannot definivitely determine the bucket policy. This scenario happens when AWS access is presented as Objects can be public and we have no definitive evidence proving public true or false, OR we cannot connect to the AWS API to retrieve bucket access information.

Additionally, we are adding the access property to present additional information when the status is not public: true or public: false. This property allows a user to determine if there is a permission issue with JupiterOne's access (we believe this will be an edge case, but is possible), or if AWS is presenting Objects can be public. The access property will be set to either access = ‘Bucket and objects not public' or access = 'Only authorized users of this account'.

While we believe this update presents a significant improvement in understanding your bucket access settings, if you notice inconsistencies in your data, please contact your customer success manager so that we can further tune and improve our logic.

Finally, the default behavior uses the account-level publicAccessBlock to evaulate the access policy. Otherwise it evaluates based on the bucket-level publicAccessBlock.

Customer Impact

The aws_s3_bucket.public property accurately reflects the public status of the bucket. The new access property indicates the same text shown in the AWS console.

If you have configured J1 alerts to monitor aws_s3_bucket.public, the alerts may be triggered next time you use the J1 AWS integration in cases where the value changes due to this improved analysis.

Going forward, the access properties on S3 buckets in J1 should more closely align with what the AWS console displays.

🔝

Was this article helpful?

0 out of 0 found this helpful