Skip to content

Commit

Permalink
[CASB] AWS Integration + CASB Free details (#16960)
Browse files Browse the repository at this point in the history
Co-authored-by: Max Phillips <mphillips@cloudflare.com>
  • Loading branch information
acdunbrack and maxvp authored Sep 19, 2024
1 parent 509ed97 commit c587043
Show file tree
Hide file tree
Showing 3 changed files with 129 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
---
pcx_content_type: reference
title: Amazon Web Services (AWS) S3
rss: file
---

import { Render } from "~/components";

<Render
file="casb/integration-description"
params={{ one: "Amazon Web Services (AWS) S3", two: "AWS account" }}
/>

:::note
The CASB integration for AWS S3 only supports posture-related findings.
:::

## Integration prerequisites

- An AWS account using AWS S3 (Simple Storage Service)
- For initial setup, access to the AWS account with permission to create a new IAM Role with the scopes listed below.

## Integration permissions

For the AWS S3 integration to function, Cloudflare CASB requires the following access scopes via an IAM Role with cross-account access:

- `s3:PutBucketNotification`
- `s3:GetObject`
- `s3:ListBucket`

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission scope, refer to the [AWS S3 Permissions documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html).

## Security findings

<Render
file="casb/security-findings"
params={{ one: "AWS S3", two: "aws-s3" }}
/>

### S3 Bucket security

Flag security issues in S3 Buckets, including overpermissioning, access policies, and user security best practices.

| Finding type | FindingTypeID | Severity |
| -------------------------------------------------------- | -------------------------------------- | -------- |
| S3 Bucket ACL Allows Any Authenticated User to Write | `09bc7d1f-e682-43bc-a4ce-e6e03b408244` | Critical |
| S3 Bucket ACL Allows Any Authenticated User to Write ACP | `9392a460-c566-4e0d-b06b-01d87dc84d7c` | Critical |
| S3 Bucket ACL Allows Public ACP Write | `5b792c7f-2546-4fcd-96dc-a58a53fea7e0` | Critical |
| S3 Bucket ACL Allows Public Write | `f50ae197-fa0a-4caa-be95-79aed91eed63` | Critical |
| S3 Bucket Policy Allows Any Authenticated User to Write | `70fe0596-28bc-41dd-a2c3-1486fb0fb1dd` | Critical |
| S3 Bucket Policy Allows Public Write | `5e2aac4b-d8be-43dc-b324-84fdf63f760e` | Critical |
| S3 Bucket Publicly Accessible | `6b1276e3-88e8-4150-a4d5-1b8273f11078` | Critical |
| S3 Bucket ACL Allows Any Authenticated User to Read | `fda31c4d-24dc-43d4-8a84-a1a9e1df01a1` | High |
| S3 Bucket ACL Allows Any Authenticated User to Read ACP | `7232e46b-3539-4080-b905-022f1091556c` | High |
| S3 Bucket ACL Allows Public ACP Read | `e324242c-5feb-41a3-8d91-f70611471fad` | High |
| S3 Bucket ACL Allows Public Read | `f8c9f979-29f0-4ada-b09e-a149937a55d4` | High |
| S3 Bucket Policy Allows Any Authenticated User to Read | `c6b3a745-b535-45ea-b2c0-ba8a139ca634` | High |
| S3 Bucket Policy Allows Public Read | `f3915412-eef9-47d9-8448-e04462de8ba2` | High |
| S3 Bucket Without MFA Delete Enabled | `f108bd28-9870-453f-a439-01818e85bdc7` | High |
| S3 Bucket Without Server-Side Encryption (SSE) | `7817b383-79c3-44ca-8d5d-e01748afe75b` | High |
| S3 Bucket Encryption in Transit Disabled | `0b3227dd-63d3-46bc-97b3-e62d9c11567a` | Medium |
| S3 Bucket MFA Delete Disabled | `518697ff-3f7e-463e-acf3-79d106599f0e` | Medium |
| S3 Bucket ACL Allows Public List | `e3c8a170-7817-4151-bd01-55442f4416ea` | Medium |
| S3 Bucket Objects Can Be Public | `0ff170dc-be6b-46fa-a1cf-95ca7d067f4b` | Medium |
| S3 Bucket Policy Allows Any Authenticated AWS User | `264be783-7fe1-4f50-aee7-d8df370b7b77` | Medium |
| S3 Bucket Policy Allows Any Authenticated User to Delete | `4431eaeb-63e3-43c1-a4bc-029f09da66fd` | Medium |
| S3 Bucket Policy Allows Any Authenticated User to List | `319c9715-b86d-4215-bdfa-c5d9b3a5cc83` | Medium |
| S3 Bucket Policy Allows Public Delete | `bbbeacbc-6692-4121-a785-d634da1e5c56` | Medium |
| S3 Bucket Policy Allows Public List | `f7ae03e3-1303-4404-b6f5-a7f97e52105e` | Medium |
| S3 Bucket Server Side Encryption Disabled | `d69ab398-fba8-4e71-bf49-60af48d00cbc` | Medium |
| S3 Bucket Without Access Logging | `67d0995d-7b4a-40c5-a43f-7a98d20faac6` | Medium |
| S3 Bucket Without AWS CloudTrail Logging | `89366ebe-ca0b-45fc-a9cb-135674e0a49b` | Medium |
| S3 Bucket Without Cross-Region Replication | `d4e5c815-33e3-4a01-b852-fe040d51ee55` | Medium |
| S3 Bucket Without Default Encryption | `fb7a41af-294c-4e9b-a6ca-a1fed35542d6` | Medium |
| S3 Bucket Without Lifecycle Policies | `2df6f1b8-e41c-4ab5-a466-992ce485a367` | Medium |
| S3 Bucket Without Object-Level Logging | `9af2594c-3999-49c9-bd3d-2f4b091f99c0` | Medium |
| S3 Bucket Without Replication Enabled | `cb61ef18-a498-456c-985c-78a45e19f4fe` | Medium |
| S3 Bucket Without Versioning Enabled | `95e1284f-a514-4396-bf64-cd003818790c` | Medium |
| S3 Bucket Access Logging Disabled | `84ba76fa-4703-490e-ab75-1b554993c054` | Low |
| S3 Bucket Lifecycle Disabled | `970d2ca8-e189-42a8-8e86-9f674fcb1aea` | Low |
| S3 Bucket Policy Not Existent | `3e1d0535-d82f-4ed1-9664-d2c50905db17` | Low |
| S3 Bucket Versioning Disabled | `4e976e0d-b545-4c4a-99c5-a2f5d9a6f3d8` | Low |

### IAM Policies

Identify AWS IAM-related security issues that could affect S3 Bucket and Object security.

| Finding type | FindingTypeID | Severity |
| --------------------------------------------------------------- | -------------------------------------- | -------- |
| IAM Account Password Policy Does Not Exist | `e39ee4da-eed5-49d0-95f7-b423884b858c` | Critical |
| IAM Account Password Policy Doesn't Require Lowercase Letters | `9278444b-0c38-4ed0-8127-f3f25444811c` | High |
| IAM Account Password Policy Doesn't Require Passwords to Expire | `5be79a96-4570-45cf-8ba3-1abe62802d16` | High |
| IAM Account Password Policy Doesn't Require Symbols | `dd17afa3-4d4c-49e4-84c3-e829af9fff97` | High |
| IAM Account Password Policy Doesn't Require Uppercase Letters | `e4976e53-bab5-4276-a1d3-1d85ebfd4d57` | High |
| IAM Account Password Policy Max Age is greater than 90 days | `4e1092a0-7092-405f-a991-537d8c371440` | High |
| IAM Account Password Policy Minimum Length is less than 8 | `2a2fa181-7beb-48ba-bc8d-8f1170c6062c` | High |
| IAM Account Password Policy Re-use Prevention is less than 5 | `a4791a20-373f-44d3-9f6e-e61f1685fe05` | High |
| IAM Role with Cross-Account Access | `8de72710-b23a-4d94-915e-26ef7249d21e` | High |
| IAM Access Key Inactive over 90 Days | `37d1adb1-8e37-4708-a849-e06945c60802` | Medium |
| IAM Access Key Not Rotated over 90 Days | `d2caf571-4c99-4da7-a21c-4384f8cb4e5c` | Medium |
| IAM User Console Login Inactive Over 90 Days | `82b50a4d-8582-4766-9bad-f41b441bf336` | Medium |
| IAM User MFA Disabled | `4679563f-5975-4c68-9dbf-896810ec8de9` | Medium |
| IAM User Password Older Than 90 Days | `c5376384-e4e4-4b2c-af84-12d6740939f0` | Medium |
| IAM Account Password Policy Doesn't Require Numbers | `15c65813-c7e6-4b22-95b3-b3942c8b8924` | Low |

### Root User Management

Detect security issues related to the use of an IAM Root User, which has the ability to access and configure important settings.

| Finding type | FindingTypeID | Severity |
| ------------------------------------------------- | -------------------------------------- | -------- |
| AWS Root User Access Key Used within Last 90 Days | `9d23c002-aece-42b5-b082-2b51fab8d7c1` | Critical |
| AWS Root User has Access Keys | `1b788d31-ed56-4008-b136-6993f38e4d1c` | Critical |
| AWS Root User Logged in within Last 90 Days | `e9959d6e-edc9-4ea3-9113-3c30b02a811e` | Critical |
| AWS Root User MFA Disabled | `19abe0ee-e8bd-4e3b-9ee9-ea5c64fe769c` | Critical |

### Certificates

Catch certificate-related issues and risks to prevent malicious compromise of internal resources.

| Finding type | FindingTypeID | Severity |
| -------------------------------------- | -------------------------------------- | -------- |
| ACM Certificate Expired | `30ce0a22-eb3d-457d-bc59-6468f9bb4c4f` | Critical |
| ACM Certificate Has Domain Wildcard | `d313bc0c-a2fb-41d8-b5a8-ef2704bb5570` | High |
| ACM Certificate Expires within 30 days | `cd93f2c1-9b07-4e6c-964c-79f3a64d56ac` | Medium |
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ sidebar:

You can integrate the following SaaS applications with Cloudflare CASB:

- [Amazon Web Services (AWS) S3](/cloudflare-one/applications/scan-apps/casb-integrations/aws-s3/)
- [Atlassian Confluence](/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-confluence/)
- [Atlassian Jira](/cloudflare-one/applications/scan-apps/casb-integrations/atlassian-jira/)
- [Bitbucket Cloud](/cloudflare-one/applications/scan-apps/casb-integrations/bitbucket-cloud/)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,10 @@ sidebar:

import { GlossaryTooltip, Render } from "~/components";

:::note
:::note[Availability]
Available for all Zero Trust users.

Only available on Enterprise plans.
Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of an individual finding instance.
:::

Cloudflare's API-driven Cloud Access Security Broker (CASB) scans SaaS applications for misconfigurations, unauthorized user activity, <GlossaryTooltip term="shadow IT" link="https://www.cloudflare.com/learning/access-management/what-is-shadow-it/">shadow IT</GlossaryTooltip>, and other data security issues that can occur after a user has successfully logged in.
Expand Down

0 comments on commit c587043

Please sign in to comment.