Storage Bucket ASM Assets
Censys Attack Surface Management defines Storage Buckets as containers provided by a cloud object storage service. Censys Attack Surface Management uncovers buckets provided by Google Cloud Platform (GCP) and Amazon Simple Storage Service (S3).
The Storage Buckets page shows buckets that may be associated with your organization. Censys Attack Surface Management uses your organization’s DNS domain and subdomain names to power Internet-wide bucket discovery, uncovering assets that may be relevant to you.
You can use the Storage Buckets page to view discovered buckets and see if they belong to you or remediate risks for known buckets.
In this screen, you see a list of all the discovered Storage Buckets.
Default columns include:
-
Cloud: The cloud storage provider hosting this bucket.
-
Account ID (AWS specific): The AWS account associated with this bucket.
-
Risks: The risk severity associated with this bucket’s configuration.
-
Access: The access configuration for this bucket. Access levels include Readable, Writeable, and Editable Settings.
-
Readable: Contents of the bucket might be read publicly.
-
Writeable: Contents of the bucket might be editable.
-
Editable Settings: Anyone can edit the read/write settings for this bucket.
-
-
Source: The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, the Censys method to discover potentially unknown buckets.
-
Discovery Date: The date when this bucket was first discovered.
At the top of the page, you can use 3 filters to quickly see your important storage buckets.
Quick filters include:
-
High Risk: Any storage buckets that have a risk severity of high.
-
Buckets from Cloud Connector: Storage buckets that are identified by a cloud connector that your organization has deployed. If your organization has not deployed a cloud connector, this filter option is replaced by a banner with information regarding cloud connectors.
-
Buckets from Censys Scan: Storage buckets that are identified by the Censys automated bucket discovery scan.
You can view additional columns with more information about your Storage Buckets by clicking Columns in the table header.
Additional columns include:
-
Risk Names: A string representation of the risks associated with this bucket.
-
Tags: Tags added to this asset.
You can export the Storage Buckets inventory as a comma separated value (CSV) sheet for use in other products and workflows. Click Download CSV in the right corner. The default filename is {timestamp}_{customerName}_ObjectStorageExport.csv
. The columns in the CSV file reflect the columns shown in the table when exported.
Navigate the storage buckets list page by paginating, or by applying filters. You can select or exclude buckets from the list based on the following properties:
-
Name: The name of the bucket.
-
Cloud: The name of the cloud storage provider.
-
Account ID (AWS specific): The AWS account ID associated with this bucket.
-
Risk Names: The risk names associated with this bucket.
-
Risk Severity: The risk severity associated with this bucket.
-
Access: The level of access discovered for this bucket. Access levels include Readable, Writeable, and Editable Settings.
-
Readable: Contents of the bucket might be read publicly.
-
Writeable: Contents of the bucket might be editable.
-
Editable Settings: Anyone can edit the read/write settings for this bucket.
-
-
Source: The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, the Censys method to discover potentially unknown buckets.
-
Association Date: The date range, inclusive, for when this bucket was first discovered.
-
Tag: Any tags applied to the asset.
Each bucket in the table links to a bucket details page with additional information.
In the Overview area of the page, general information about the bucket includes:
-
Cloud: The name of the cloud storage provider.
-
Account ID (AWS specific): The AWS account ID associated with this bucket, if known.
-
Access: The access configuration for this bucket. Access levels include:
-
Discoverable: Buckets can be found but not viewed or altered.
-
Readable: Contents of the bucket might be read publicly.
-
Writeable: Contents of the bucket might be editable.
-
Editable Settings: Anyone can edit the read/write settings for this bucket.
-
-
URL: The URL associated with this bucket.
-
Region (AWS specific): The geographic location housing this bucket.
-
Source: The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, the Censys method to discover potentially unknown buckets.
-
Discover Date: The date when this bucket was first discovered.
At the top of the Software Bucket Details Page, several buttons help you manage this bucket.
-
Go to Access Controls (AWS specific): Clicking this button navigates to the AWS console used to manage this bucket.
-
View Live: Clicking this button navigates your browser to the URL associated with this bucket.
-
Remove: If, after investigation, you decide that you no longer want Censys Attack Surface Management to track this bucket for you, click Remove to remove it from your inventory. Buckets that are removed are visible on the Excluded Assets page.
You can use the storage buckets list page to conveniently manage risks associated with buckets that you own. You may find that a bucket you manage is unintentionally configured as Readable, Writeable, or with Editable Settings.
-
Readable: Contents of the bucket can be read publicly.
-
Writeable: Contents of the bucket can be editable.
-
Editable Settings: Anyone can edit the read/write settings for this bucket.
To remediate risks associated with a bucket, click the bucket’s name to navigate to the details page.
Censys Attack Surface Management provides several workflows for remediating risks associated with a bucket. If this is an AWS S3 bucket that you have the credentials to manage, you can click Go to Access Controls in the upper-right corner of the screen to navigate directly to the AWS console used to manage this bucket.
If the risks associated with this bucket do not require immediate response, you can use Add Tag or Add Comment located near the top of the page to categorize or add a note to this bucket. This lets you and your team to keep your inventory of buckets organized and secure.
Storage Buckets are correlated to your organization’s DNS domain and subdomain names. By reviewing these buckets, you can verify their relevance to your organization and remediate any risks that they may pose.
To identify all buckets that may impact your security posture, you can filter your Storage Bucket inventory. By applying the filters Source is Censys Scan and Risk Names contain ExposedStorageBucket[AWS], Censys Attack Surface Management provides a list of buckets that pose risks and may be relevant to your organization.
To remediate risky buckets, follow the same workflow as specified in Remediate Risks with Known Buckets.
If a bucket discovered is not relevant to your organization, click Remove to remove it from your inventory. The Asset Management section provides more information on removing buckets.
Comments
0 comments
Article is closed for comments.