As of 12/10/2018, CloudSploit Events now supports the following S3 bucket events:
S3:PutBucketAcl
S3:PutBucketPolicy
S3:DeleteBucketEncryption
When the above events are detected by CloudTrail, CloudSploit will receive a copy of the origin event for analysis. CloudSploit then reviews the event for security concerns, including adding a public read/write ACL, triggering a WARN or FAIL result depending on the severity. You can subscribe to these events using Event Routings, which enables email-based and third-party integrations.
S3 bucket ACLs and policies are an often-overlooked, yet critical aspect, of S3 security. Misconfigured bucket ACLs have led to numerous high-profile security events over the last few years. By monitoring for the above events, CloudSploit can now alert you as soon as you, someone on your team, or even a malicious actor, makes changes to your bucket ACL or policy.
CloudSploit's traditional background scans have supported ACL and policy review since the middle of 2018. This change adds real-time change detection for modification to those ACLs and policies.
Updating CloudSploit Events to Support S3 Events
If you have not yet deployed CloudSploit Events in your AWS account, you may do so via: https://console.cloudsploit.com/precheck
If you have already deployed CloudSploit Events, you must update the "cloudsploit-events" CloudFormation template to begin receiving these new event types. Please follow the below steps:
1. Log into your AWS CloudFormation console and locate the "cloudsploit-events" template.
2. Click "Update Stack."
3. Use the following S3 stack URL: https://s3.amazonaws.com/console.cloudsploit.com/other/cloudformation-template-events.json
4. Do not change any parameters.
5. Update the stack.
After the update, you should begin seeing the above S3 event types in your CloudSploit Event stream. You can use Routings to receive notifications when these event types trigger a security alert.
If you have any questions, please contact our support team.