Public Access Guardrails
Overview
As the number of cloud resources in environments expands, it becomes
increasingly difficult to ensure a tight network perimeter. Public
Access Guardrails monitor cloud resources for possible misconfigurations, such
as exposed RDS instances or S3 buckets. Not only can the guardrail generate an
alarm for immediate action, it can take the action itself (in the RDS example,
sets the attribute PubliclyAccessible
on an RDS instance to False
.)
To Guardrails, a resource is public if it shared in such a way that anyone can access it - it is not restricted to a discrete list of entities, or from a limited network boundary. Additionally, many cloud resources, such as the RDS instance, have an attribute that can be toggled to allow or block public access.
The core Public Access policy has a consistent form:
{Provider} > {service} > {resource} > Publicly Accessible
AWS > Redshift > Cluster > Publicly Accessible
AWS > RDS > DB Instance > Publicly Accessible
The basic form of the above policies is as follows:
SkipCheck: {resource} is not publicly accessibleEnforce: {resource} is not publicly accessible
# AWS > Redshift > Cluster > Cluster Publicly Accessible - Skip - Check: Cluster is not publicly accessible - Enforce: Cluster is not publicly accessible
Example: Enforce all RDS instances to be not publicly accessible
RDS instances have a option Publicly Accessible attribute that can be set to
Publicly Accessible
at any time. In this example, we want to ensure that no
RDS instance is set to Publicly Accessible
, and if it is, change the value
from Publicly Accessible
to Not Publicly Accessible
.
Set the following policy at a level where RDS instances have the setting, either at a high level so that instances inherit the policy definition or at the RDS instance level itself:
- AWS > RDS > DB Instance > Publicly Accessible set to
Enforce: DB Instance is not publicly accessible
.
When Guardrails discovers a RDS instance, the PubliclyAccessible
will be checked.
If that attribute is set to True
, Guardrails will modify the value to False
with
no human action required!
S3 Public Access Block
S3 accounts and buckets have
Public Access Block
settings
that Guardrails can check for misconfigurations. Administrators can choose to change
the configurations to that which is approved, or simply alarm. In this example,
all public access settings are configured to true.
Account Settings
Set the policy AWS > S3 > Account > Public Access Block
to
Check: Per 'Public Access Block > Settings'
Set the policy AWS > S3 > Account > Public Access Block > Settings
to the
following:
- "Block Public ACLs"- "Block Public Bucket Policies"- "Ignore Public ACLs"- "Restrict Public Bucket Policies"
Bucket Settings
Set the policy AWS > S3 > Bucket > Public Access Block
to
Check: Per 'Public Access Block > Settings'
Set the policy AWS > S3 > Bucket > Public Access Block > Settings
to the
following:
- "Block Public ACLs"- "Block Public Bucket Policies"- "Ignore Public ACLs"- "Restrict Public Bucket Policies"