Amazon’s object storage service, S3, was one of the key drivers behind the cloud revolution and has brought us everything from Pinterest to COVID-19 case tracking. As a key-value store, S3 offers object storage for gathering massive amounts of unstructured or semi-structured data for websites, mobile applications, and whatever else businesses require. This high-level and generic storage structure provides users enormous flexibility. However with this flexibility comes increased security risks for misconfigured S3 buckets (e.g. buckets that are accessible to the public internet) and over-privileged IAM roles that often lead to insider data thefts.
As more companies embrace data democratization, the increased reliance on S3 means that more and more employees need varying levels of access to buckets, folders and files – resulting in a number of severe challenges.
- To support critical business use cases (e.g. on-call engineers and customer support staff needing temporary access to S3 buckets), how do companies automate these temporary access workflows without compromising security?
- As more and more employees need varying levels of access to buckets, how do companies reduce the IAM role sprawl?
- How can companies apply granular access policies for S3 based on SSO groups that are managed by Identity Providers like Okta?
- How can companies provide an intuitive, easy-to-use interface for browsing S3 content that caters to non-technical users?
- How can companies track user activity to identify which data and files users access?
To address these critical challenges, Cyral recently announced the general availability of the Cyral S3 Browser, which is accessible from the same control plane that centralizes access to databases and data lakes.
- For users, a one-click login experience using SSO can be used to access an intuitive, easy-to-use interface to browse through S3 buckets and to access S3-related functions like search, filter, upload, download, and delete.
- Administrators, on the other hand, can reduce IAM role sprawl by enforcing access policies for S3 based on SSO groups. Cyral’s access policies can supplement AWS IAM role permissions with more granular controls like limiting the number of download requests by one user in a fixed period or limiting the volume of files requested in one transaction. More importantly, administrators can eliminate standing access to S3 for non-admin data users by leveraging Cyral’s Just-In-Time Access workflows that are tightly integrated with Slack to automate temporary access requests and approvals. Lastly, administrators can have full visibility into user activity within S3 in order to detect suspicious behavior and to accelerate response to audits.
Here’s a breakdown of the challenges that companies face with S3 access and how Cyral’s S3 Browser addresses these challenges.
| Challenge | Cyral’s Solution |
| Reduce the IAM role sprawl | Cyral governs access to S3 by matching SSO groups to IAM roles. With this approach, companies can maintain as few as one or two IAM roles and enforce granular access policies for S3 based on SSO groups. |
| Eliminate standing access to S3 for non-admin data users | Cyral’s Just-In-Time Access workflows that are tightly integrated with Slack automate temporary access requests and approvals for S3. |
| Apply rate-limiting controls to reduce the risk of insider data thefts | Cyral’s access policies supplement AWS IAM role permissions with more granular controls like limiting the number of download requests by one user in a fixed period or limiting the volume of files requested in one transaction. |
| Provide an intuitive interface for browsing S3 for non-technical users | For users, a one-click login experience using SSO can be used to access an intuitive, easy-to-use interface to browse through S3 buckets and to access S3-related functions like search, filter, upload, download, and delete. |
| Obtain consistent visibility into user activity within S3 | Cyral provides full visibility into user activity within S3 in order to detect suspicious behavior and to accelerate response to audits. |
Depending on the company’s use case, S3 user permissions can be managed in either Cyral or AWS. For companies that are expecting their bucket and folder structure to stay consistent and are looking to align S3 permissions with SSO Groups, then managing S3 permissions in Cyral would be ideal. For companies that are expecting their bucket structure to change frequently and are looking to manage access permissions on an individual basis rather than by group policy, then managing S3 permissions in AWS may be more appropriate.
Here’s an example where role specific permissions for S3 are governed by AWS.
Here’s an example where role specific permissions for S3 are governed by Cyral. In this example, only two IAM roles will be maintained in AWS – one for on-call (or temporary access) and another for administrators.
Cyral’s access policies are written in simple YAML files. With this security-as-code approach, companies can embrace shift-left security practices leveraging GitOps-ready policies that can integrate with CI/CD and keep up with the fast rate of change in development. In the following policy example for the SSO Group “Engineer”, read/update/delete access is granted for all “PUBLIC_BUCKETS” but no access whatsoever is granted for “PATIENT_PII” and “COMPENSATION” buckets.
If your company is looking to eliminate standing access to S3 for non-admin data users and establish consistent security controls across all your data endpoints, request a demo or check out our free trial.
