In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud environment, but simply enabling it isn't enough. Without proactive monitoring, gaps can appear, leaving your environment vulnerable to unnoticed changes or missing logs. That’s where BucketShield comes in.
BucketShield is a monitoring and alerting system built for AWS S3 buckets and CloudTrail logs. It solves a critical problem many organizations face: ensuring the consistent flow of logs from AWS services into S3 buckets and mitigating potential misconfigurations that could interrupt log collection. With real-time tracking of CloudTrail Trails, S3 Bucket settings and KMS Key configurations, BucketShield ensures that every critical event is recorded and your cloud remains audit-ready.
BucketShield operates through three core components:
BucketShield is designed with a dual-layer approach, focusing on both offensive (attack) and defensive (defend) capabilities.
This allows organizations not only to identify potential vulnerabilities but also to respond swiftly to misconfigurations and attacks targeting their S3 buckets and CloudTrail logs.
The Attack Module simulates potential attacks on your AWS environment to highlight weaknesses and blind spots.
Key functionalities of the Attack Module include:
The Defend Module focuses on monitoring, detection, and mitigation. It ensures that your AWS infrastructure is continuously protected against misconfigurations, log failures, and suspicious activities.
Key functionalities of the Defend Module include:
Using BucketShield is straightforward:
Set up CloudTrail: Ensure your AWS CloudTrail is configured to forward logs to an S3 bucket.
Install BucketShield: Deploy BucketShield on your preferred environment (MacOS, Linux or Windows).
Invocation of IDENTIFY module to enumerate in-scope resources.
Configure IAM Roles and Permissions: Ensure the IAM roles assigned have the necessary permissions to monitor CloudTrail, KMS, and S3.
Start Monitoring: Run the tool and monitor the status of logs and configurations in real time.
Invocation of FLOWLOGS module to list most recent event in each configured S3 Bucket.
Invocation of DETECT module to search the CloudTrail API for dangerous events affecting resources in the configuration file.
You can get BucketShield on GitHub: https://github.com/Permiso-io-tools/BucketShield