Skip to content

Bucket Protection

Configuration Review

Currently this page just shows a list of all the buckets that your deployment of Classification for Amazon S3 has access to. In the future there will be the ability to scan/classify on demand and protect buckets so that new files are scanned/classified as they get added to a protected bucket.

Bucket Protection

The Bucket Protection table is a complete list of the buckets you have in your account or linked accounts and their current status. You will see all buckets across all regions within the account the console is running in as well as active linked accounts.

Protected Buckets Page

In the future there will be the ability to scan/classify on demand and protect buckets so that new files are scanned/classified as they get added to a protected bucket.

Notes

Notice the Account identifier shows as Primary. This represents the default account you deployed the solution in. If you link accounts for cross-account scanning, you will see a different identifier (the nickname you gave it) for those buckets that come from other accounts.


The bucket list is refreshed every 30 minutes in the background, but if you have recently created new buckets or deleted existing, you can force a refresh with the Actions --> Refresh Buckets menu item at the top of the buckets list.


You may have noticed the Object Count and Total Size (GB) values for each bucket. These are not real-time reliable numbers. This data is pulled from CloudWatch Metrics for S3 Buckets. Amazon only updates these metrics once per day at the end of each day. So the numbers you are seeing are always a day old, but can give you a good feel.

Bucket Attributes

We check certain attributes related to buckets to give you information pertinent to setting up protection. As a result, you may notice icons next to the bucket names. The two main aspects we check now are public status and the encryption status. We want you to be informed on which buckets are public and how they are public. We also want to stop you from scanning whole buckets of encrypted objects when we don't have permissions to the key to decrypt those objects. Giving the AgentRole permissions to the key will solve this issue.

  • possibly public lock when bucket is capable of being public, but not actually public

    • Some of the Block Public Access checks are turned off, but there isn't an ACL or a Bucket Policy set to make the bucket public
  • truly public lock when bucket is truly public via ACL or Bucket Policy

    • Some of the Block Public Access checks are turned off and there is an ACL or a Bucket Policy set to make the bucket public
    • The tooltip will give you details on the ACL settings
  • kms encryption no permissions when KMS encryption enabled on the bucket and the AgentRole does not have permission to the key

    Note

    You will not be able to turn on protection for a bucket or perform a Scan Existing if the AgentRole does not have permission to the key

  • kms encryption with permissions when KMS encryption enabled on the bucket and the AgentRole does have permissions to the key

Every field in the table can be searched upon utilizing the Search field at the top of the page. Want to see only the buckets in 'east' search for that. Want all of the buckets that have a particular piece of text in their name, just type in that piece of text. You can search for multiple things as well separated by a space. Want to see all the buckets in us-east-1 for the Production account just add both of those in with a space between them.

Special Search Terms

There are some hidden terms that can be searched on: public, encrypt, conflict, on/off.

Protection Status can be searched by either On or Off as the toggle would indicate.
You may find bucket names that one on within the name that could throw the results slightly off. In this case, use column sort on Protection Status.

Bucket Conflicts can be searched for by using the word conflict in the search field. This will return all the highlighted rows that reflect a potential event conflict.

Searching on public will identify all buckets that have some public aspects to them as seen in the Bucket Attributes above.

Searching on 'encrypt` will return all buckets that have a KMS key associated with them and identify whether the AgentRole has access to the key as seen in the Bucket Attributes above.

Additional Search Capabilities

We also provide the ability to search leveraging regex within the search field. This gives you great flexibility to really narrow down exactly what you are looking for. Where as a general partial word specified in the Search field may pull back more rows than you'd like, the regex option will allow you to better pattern match.

Tip

Another useful capability is that you can aggregate multiple individual searches to build a larger selected list. I can create a potentially complex regex or I can do multiple simple searches for my selections.


Last update: May 17, 2022