Skip to main content
All CollectionsControl Tests
Test: Cloud Data Storage Exposure
Test: Cloud Data Storage Exposure

Drata inspects the cloud data storage access configuration(s) to determine if read/write access is configured to restrict public access.

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

ASSOCIATED DRATA CONTROL

This test is part of the Cloud Data Storage Restricted control that ensures read/write access to cloud data storage is configured to restrict public access.

WHAT TO DO IF A TEST FAILS

If Drata finds that you have one or more publicly exposed cloud data stores the test will fail. With a failed test you will receive a list of cloud data store names that are publicly exposed.

To remediate a failed test you will need to update you access configuration(s) to block public access to the exposed cloud data stores.

STEPS FOR PASSING

To ensure a validated state when testing that restricted access has been applied to cloud data storage, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology

Provider Steps

AWS - S3

New bucket creation

  1. Within AWS, go to the S3 service

  2. Click the "Create bucket" button

  3. Check the "Block all public access" box under the "Block Public Access settings for this bucket" section

  4. Save the bucket

Edit existing bucket

  1. Within AWS, go to the S3 service

  2. Click on the bucket name

  3. Click on the "Permissions" tab

  4. Under the "Block public access (bucket settings)" section, ensure that "Block all public access" is set to "On"

    1. If not, click "Edit," and check the box for "Block all public access"

    2. Click "Save changes"

NOTE: Currently the account-level setting for "block public access" is not supported.

Azure - Storage Accounts

  1. Within Azure, go to Storage accounts service

  2. Click on the Create icon

    1. Set subscription

    2. Set resource group - Create or select an existing

    3. Add instance details - Add any name and any location

  3. Click on Review + create button

  4. Click on Create button

  5. Click on the storage account name

  6. Click on the Containers CTA (under Data storage)

  7. Click on the Containers plus icon

    1. Add a name

    2. Set public access level:
      - Blob is (Public)
      - Container is (Public)

  8. Click on the create button

To verify the container's public access level:

  1. Click on the Containers tab

  2. Click the three-dot icon to the far right of the given container

  3. Click Change access level

  4. Change the access to Private

  5. Click on the OK button

To verify the Network Access level go to the storage account and click on Networking from the left menus:

  1. Navigate to Networking

  2. Allow access from "Selected networks"

  3. In the Firewall section - Click on Add your client IP address

  4. Enter the client IP address

  5. Click on the Save icon

Note: the following container and storage account levels will pass the test successfully:

  • Public Account + Private Container (for that container only)

  • Private Account + Public Container (for the whole account)

  • Private Account + Private Container (for the whole account)

Digital Ocean - Spaces

  1. Within Digital Ocean, create a new space

  2. Restrict File Listing

When connecting Digital Ocean within Drata please follow the "connect with spaces" flow.

GCP - Storage

  1. Within GCP, go to Storage service

  2. Create a Bucket

  3. Choose a Location type (any)

  4. Choose a default storage class for your data (any)

  5. Choose how to control access to objects

    1. Access control

      1. Fine-grained is recommended

      2. If you want to use "Uniform," you must also check the box for "Enforce public access prevention on this bucket"

  6. Click on Create button

  7. Click on the Permissions tab

  8. Ensure that allUsers and allAuthenticatedUsers are not on the list

  9. Click on Add button

  10. Add users as needed, but ensure that allUsers and allAuthenticatedUsers are not added

HELPFUL RESOURCES

Did this answer your question?