Latest research, product updates and best practices on staying secure in the cloud | Permiso

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Written by Enisa Hoxhaxhiku | Nov 5, 2024 4:30:13 PM

Introduction

In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud environment, but simply enabling it isn't enough. Without proactive monitoring, gaps can appear, leaving your environment vulnerable to unnoticed changes or missing logs. That’s where BucketShield comes in.

What is BucketShield?

BucketShield is a monitoring and alerting system built for AWS S3 buckets and CloudTrail logs. It solves a critical problem many organizations face: ensuring the consistent flow of logs from AWS services into S3 buckets and mitigating potential misconfigurations that could interrupt log collection. With real-time tracking of CloudTrail Trails, S3 Bucket settings and KMS Key configurations, BucketShield ensures that every critical event is recorded and your cloud remains audit-ready.

How Does BucketShield Work?

BucketShield operates through three core components:

  1. CloudTrail Log Monitoring: Detects issues such as:
     
    • Stop logging events.
    • Misconfigured event selectors.
    • Trail deletion and updating events.
  2. S3 Bucket Monitoring:
     
    • Tracks bucket policy changes, unauthorized access, or bucket deletions.
    • Identifies whether bucket policies are overly permissive, which could lead to compliance issues.
  3. KMS Key Monitoring:
     
    • Checks for issues like disabled KMS keys or ineffective permissions that could block log encryption or decryption.

 

Key Modules of BucketShield

BucketShield is designed with a dual-layer approach, focusing on both offensive (attack) and defensive (defend) capabilities.

This allows organizations not only to identify potential vulnerabilities but also to respond swiftly to misconfigurations and attacks targeting their S3 buckets and CloudTrail logs.

1. Attack Module

The Attack Module simulates potential attacks on your AWS environment to highlight weaknesses and blind spots.

Key functionalities of the Attack Module include:

  • Simulated Trail Deletion: Tests whether the system alerts users to unauthorized deletion of CloudTrail logs.
  • Policy Misuse Detection: Identifies any misconfigurations or overly permissive IAM roles that could grant unintended access.
  • Simulated Stop Logging Events: Checks the response to log suspension, ensuring alerting mechanisms are properly configured.
  • Bucket Permissions Testing: Ensures that unauthorized access attempts are logged and monitored via simulated attacks.

2. Defend Module

The Defend Module focuses on monitoring, detection, and mitigation. It ensures that your AWS infrastructure is continuously protected against misconfigurations, log failures, and suspicious activities.

Key functionalities of the Defend Module include:

  • Continuous CloudTrail Log Monitoring: Ensures that all logs are flowing into the correct S3 buckets without interruption.
  • S3 Bucket Policy Validation: Monitors bucket policies and alerts if they become too permissive or are modified improperly.
  • KMS Key Monitoring: Tracks the status of KMS keys to ensure they are enabled and permissions are effective, preventing encryption issues.
  • IAM Policy Enforcement: Continuously checks if IAM roles maintain the correct level of access and prevents unauthorized modifications.
  • Finding Generator: Documents finding details after detecting changes made to CloudTrail Trails, S3 Buckets and KMS Keys.

How to Use BucketShield

Using BucketShield is straightforward:

  1. Set up CloudTrail: Ensure your AWS CloudTrail is configured to forward logs to an S3 bucket.

  2. Install BucketShield: Deploy BucketShield on your preferred environment (MacOS, Linux or Windows).

     

     

     

    Invocation of IDENTIFY module to enumerate in-scope resources.

  3. Configure IAM Roles and Permissions: Ensure the IAM roles assigned have the necessary permissions to monitor CloudTrail, KMS, and S3.

  4. Start Monitoring: Run the tool and monitor the status of logs and configurations in real time.

     

     

    Invocation of FLOWLOGS module to list most recent event in each configured S3 Bucket.

     

    Invocation of DETECT module to search the CloudTrail API for dangerous events affecting resources in the configuration file.

Get Started with BucketShield Today

You can get BucketShield on GitHub: https://github.com/Permiso-io-tools/BucketShield