Amazon Simple Storage Service
Version: AWS LogForwarder v1.0.10 and above.
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers scalability, data availability, security, and performance. It provides management features to optimize, organize, and configure access to data and meet specific business, organizational, and compliance requirements.
Netsurion’s Open XDR platform seamlessly combines SIEM, Log Management, File Integrity Monitoring, machine analytics, and user behaviour monitoring. The dashboard, category, alerts, and reports in Netsurion’s Open XDR platform benefit in tracking critical activities, security warning activities, and others.
After configuring Amazon S3 to forward the logs to Netsurion’s Open XDR platform via syslog, configure the alerts, dashboards, and reports to the Netsurion Open XDR platform.
For a pre-integrated AWS instance, update the ETS AWS LogForwarder version to v1.0.10 or above.
The following are the key Data Source Integrations available in the Netsurion Open XDR platform.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | Amazon S3 – Bucket encryption disabled | This alert is triggered when an attempt is made to disable the server-side encryption on the S3 bucket. |
| Security | Amazon S3 – Inventory configuration changes detected | This alert is triggered when an attempt is made to edit or delete the S3 inventory configuration. |
| Security | Amazon S3 – Bucket ownership settings changed | This alert is triggered when an attempt is made to edit or delete the S3 bucket ownership settings. |
| Security | Amazon S3 – Public access block settings changed | This alert is triggered when an attempt is made to edit or delete the S3 bucket public access settings. |
| Security | Amazon S3 – Bucket replication detected | This alert is triggered when an attempt is made to change the bucket replication settings for S3. |
| Security | Amazon S3 – Access points modified | This alert is triggered when an attempt is made to modify the access point settings for the S3 bucket. |
| Security | Amazon S3 – Unauthorized bucket configuration access | This alert is triggered when multiple API calls are detected to access the details of the S3 bucket, which failed due to one or more errors. |
| Security | Amazon S3 – New lifecycle policy added | This alert is triggered when a new life cycle policy is added for the S3 bucket which has a limited object expiration period and may supersede existing policies. |
| Security | Amazon S3 – Bucket policy changed | This alert is triggered based on the request of a privileged user of the activities related to modifications in the S3 bucket policy are detected. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | Amazon S3 – Unauthorized user activities | This report gives details of the specific actions carried out related to the S3 service, which failed due to one or more errors related to access management or data misconfiguration. |
| Security | Amazon S3 – Activity overview | This report gives the details of all the actions carried out related to S3 service. It provides details like the action name, the activity initiated time, the individual who performed it, and other information related to the application and the user. |
| Security | Amazon S3 – Bucket level activity | This report gives the details of all the actions carried out in the S3 service. It gives information about the action name, the time it was initiated, the individual who performed it, including other details related to the application and the user. |
Dashboards
| Type | Name | Description |
|---|---|---|
| Security | Amazon S3 – Critical activities | This dashlet provides information about any critical or sensitive actions carried out related to the S3 service. |
| Security | Amazon S3 – Configuration changes by IP | This dashlet provides the details of the WRITE actions related to S3 bucket configuration mapped to the IP addresses of the users. |
| Security | Amazon S3 – Failed API calls | This dashlet provides the details of any failed API calls mapped to the user ARN, occurred due to the insufficient or unauthorized access. |
Documentation
The configuration details are consistent with the Netsurion Open XDR platform version 9.3 and later, and ETS AWS LogForwarder.
Download How-to Guide and Integration Guide and for configuration instructions and more information.