Amazon S3 is a widely appreciated cloud storage service. Not only it stores your data but also able to tackle the stored data in the form of accessibility. You can pay according to storage you are leveraging i.e. frequently accessed or archive data storage. But security is still what concerns most of the users. This can be handled on the ground level by creating and adding policies for your S3 buckets.

What is S3 bucket policy?

Bucket Policy is very similar to the access control list. Both are resource-based AWS Identity and Access Management (IAM) Policies. These services enable the user to grant access permission to other AWS account holder or IAM user. To apply the bucket policy, a user needs to add a policy to their bucket. These policies are only applicable to the bucket and the object present in it, but this permission is applied to the object that is created by the bucket owner.

How to create or add bucket policies?

To add a bucket policy:

Select the bucket in the name list, for which you want to create policy.
Now in permissions, select bucket policy.
In bucket policy editor window, add a new bucket policy or edit an existing policy. Since bucket policy is JSON file. So, make sure the text you enter in the editor should be valid in JSON.
Save your policy.

Why do you need to configure a metric filter and alarm for S3 bucket policy?

By default, your bucket is in private mode; but bucket policy provides you with an additional layer of protection for your bucket. Any unexpected change in your bucket policy can make your data insecure. To protect your bucket policies, you need to configure a trail in CloudTrail which registers every change occurred in your policies. And if you deliver this trail to CloudWatch logs, it will alarm you for every change that happens into the configuration. Hence, you can react immediately.

Ensure your Cloud Storage Security

Centilytics ensures that your CloudWatch alarm triggers every time a bucket policy change is made. Whenever there is an AWS API call to add or edit bucket policy, CloudWatch alarm must notify you. Centilytics plays a crucial role since it checks for the CloudWatch alarm that you need to set up in your AWS account. It then lists down all the accounts in which the alarm is not configured. With our applicable filters, it becomes easier to understand the configuration of the Bucket Policies.

Insight Description:

	Ok: CloudTrail has CloudWatch logs groups configured with metric filter, alarm, SNS topic with at least one subscriber.
	Warning: For your CloudWatch alarms, either no SNS topic is created or no individual is present in the list of topic subscribers to receive the alerts.
	Critical: Delivery to CloudWatch logs not configured.

Description of further columns are as follows:

Account Id: Shows the respective account ID of the user’s account.

Account Name: Shows the account name corresponding to the user’s account.

Region: This column shows the region of your instance where it has been used.

Identifier: Shows you the service with its trail name.

Log Group Name: It represents the name of the group which has permission to use the service.

Metric Filter Name: Shows you the name that you have given to the metric filter.

Alarm Name: Shows you the name of the alarm which you have assigned.

SNS Topic Name: SNS refers to the Simple Notification Service group. A group of individuals who receive the alert message.

Custom Severity Description: Shows the severity of your metric filter and its functions custom description.

Filters Applicable:

Filter Name	Description
Account Id	Applying account Id filter will display all the public snapshots for the selected account Id.
Region	Applying the region filter will display all the public snapshots corresponding to the selected region.
Severity	Applying severity filter will display public snapshots according to the selected severity type i.e. selecting critical will display all instances with critical severity. Same will be the case for Warning and Ok severity types.
Resource Tags	Applying resource tags filter will display those public snapshots which have been assigned the selected resource tag. For e.g., If a user has tagged some public snapshots by a resource tag named environment, then selecting an environment from the resource tags filter will display all those snapshots.
Resource Tags Value	Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production). Hence, the user can view data of all the resources with “environment:production” tag. The user can use the tag value filter only when a tag name has been provided.
Compliance	Applying Compliance filter, you can further refine your security and health checks.

Tags
Technical Briefs

Previous articleAWS RDS cluster limit – Control your usage before service limits breach

Next articleRDS instance service limits need to be checked regularly

AWS Creates New Wavelength Zones in Seattle, Denver

After US, Japan, AWS Announces New Wavelength Zone in South Korea

Google Cloud Announces Plans For Three New International Cloud Regions

Google Cloud Inks Deal With US-Based Highmark Health and Tapestry

Video Conferencing App Zoom Leaves Oracle, Inks Deal With AWS For…

(Updated) AWS Outage Resolved, All Operations Return to Normal

NSW Health Pathology Leverages Microsoft Azure Services To Speed-Up COVID-19 Testing

Amazon Launches Managed Workflows for Standalone System Apache Airflow

S3 Bucket Policy with CloudWatch Alarm – Securing storage before it leaks