ASSOCIATED DRATA CONTROL
This test is part of the Threat Detection System control. A threat detection system is in place to monitor web traffic and suspicious activity. When anomalous traffic activity is identified, alerts are automatically sent to personnel, investigated, and escalated through the incident management process, if necessary.
WHAT TO DO IF A TEST FAILS
If Drata finds that you have one or more publicly exposed cloud data stores, the test will fail. With a failed test you will receive a list of cloud data store names that are publicly exposed.
To remediate a failed test, you will need to update your access configuration(s) to block public access to the exposed cloud data stores
STEPS FOR PASSING
To ensure a validated state when testing that restricted access has been applied to cloud data storage, follow the steps that is related to your provider listed below.
Once the provider steps have been completed, navigate back to Drata and execute the test.
AWS - S3
New bucket creation:
Within AWS, go to the S3 service.
Click the "Create bucket" button.
Check the "Block all public access" box under the "Block Public Access settings for this bucket" section.
Save the bucket.
Edit existing bucket:
Within AWS, go to the S3 service.
Click on the bucket name.
Click on the "Permissions" tab.
Under the "Block public access (bucket settings)" section, ensure that "Block all public access" is set to "On".
If not, click "Edit," and check the box for "Block all public access".
Click "Save changes".
NOTE: Currently the account-level setting for "block public access" is not supported.
Azure - Storage Accounts
Note: For Azure storage accounts, the test will verify the following:
Whether
allowBlobPublicAccess
is set tofalse
for each storage account.If the
allowBlobPublicAccess
flag is missing, it will be assumed astrue
.
Whether
networkRuleSet.defaultAction
is not set toALLOW
for each storage account.If a storage account does not pass either point 1 or point 2, the test will check if
publicAccess
is set toNONE
for each storage container.
If a storage account does not pass point 1 and 2, each storage container is verified if publicAccess
is set to NONE.
Within Azure, go to Storage accounts service.
Click on the Create icon.
Set subscription.
Set resource group - Create or select an existing.
Add instance details - Add any name and any location.
Click on Review + create button.
Click on Create button.
Click on the storage account name.
Click on the Containers CTA (under Data storage).
Click on the Containers plus icon.
Add a name.
Set public access level:
- Blob is (Public).
- Container is (Public).
Click on the create button.
To verify the container's public access level:
Click on the Containers tab.
Click the three-dot icon to the far right of the given container.
Click Change access level.
Change the access to Private.
Click on the OK button.
To verify the Network Access level go to the storage account and click on Security + networking from the left menus:
Navigate to Networking.
Allow access from Enabled from selected virtual networks and IP addresses.
In the Firewall section - Click on Add your client IP address.
Enter the client IP address.
Click on the Save icon.
The following container and storage account levels will pass the test successfully:
Public Account + Private Container (for that container only)
Private Account + Public Container (for the whole account)
Private Account + Private Container (for the whole account)
Digital Ocean - Spaces
Within Digital Ocean, create a new space.
Restrict File Listing.
When connecting Digital Ocean within Drata, please follow the "connect with spaces" flow.
GCP - Storage
Within GCP, go to Storage service.
Create a Bucket.
Choose a Location type (any).
Choose a default storage class for your data (any).
Choose how to control access to objects.
Access control
Fine-grained is recommended.
If you want to use "Uniform," you must also check the box for "Enforce public access prevention on this bucket".
Click on Create button.
Click on the Permissions tab.
Ensure that
allUsers
andallAuthenticatedUsers
are not on the list.Click on Add button.
Add users as needed, but ensure that
allUsers
andallAuthenticatedUsers
are not added.