Storage Buckets

Review cloud storage containers that affect your organization’s security posture.

What is a Storage Bucket?

Censys defines Storage Buckets as containers provided by a cloud object storage service. Censys uncovers buckets provided by Google Cloud Platform (GCP) and Amazon Simple Storage Service (S3).

What is on the Storage Buckets page?

The Storage Buckets page displays buckets that may be associated with your organization. Censys uses your organization’s DNS domain and subdomain names to power Internet-wide bucket discovery, uncovering assets that may be relevant to you. You can use the Storage Buckets page to assess discovered buckets and see if they belong to you, or remediate risks for known buckets.

Storage Buckets List Page

In this table, you’ll see a list of all of your discovered Storage Buckets.

Figure 1. Censys storage bucket list page

Default columns include:

Cloud - The cloud storage provider hosting this bucket.
Account ID (AWS specific) - The AWS account associated with this bucket.
Risks - The risk severity associated with this bucket’s configuration.
Access - The access configuration for this bucket. Access levels include Readable, Writeable, and Editable Settings.
- Readable - Contents of the bucket might be read publicly.
- Writeable - Contents of the bucket might be editable.
- Editable Settings - Anyone can edit the read/write settings for this bucket.
Source - The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, Censys' method to discover potentially unknown buckets.
Discovery Date - The date when this bucket was first discovered.

Quick Filters

At the top of the page are three filters that allow you to quickly see your important storage buckets.

Figure 2. Censys storage bucket quick filters

Quick filters include:

High Risk - Any storage buckets that have a risk severity of "high".
Buckets from Cloud Connector - Storage buckets that have been identified by a Cloud Connector that your organization has deployed. If your organization has not deployed a Cloud Connector, this filter option will be replaced by a banner with information regarding Cloud Connectors.
Buckets from Censys Scan - Storage buckets that have been identified by the Censys automated bucket discovery technique.

Column Section

You can display additional columns with more information about your Storage Buckets by clicking the Columns button in the table header.

Figure 3. Censys storage bucket column section

Additional columns include:

Risk Names - A string representation of the risks associated with this bucket.
Tags - Tags that have been added to this asset.

You can export the Storage Buckets inventory as a comma separated value (CSV) sheet for use in other products and workflows. Click the Download CSV button in the right-hand corner. The default filename is {timestamp}_{customerName}_ObjectStorageExport.csv, and the columns in the CSV file reflect the columns displayed in the table when exported.

Sort Columns

The default sorting for the table is descending (High-Low) for the Access column. Use the arrows on the other columns to sort the table by those.

Filters

Figure 4. Storage bucket list page with filters shown

Navigate the storage buckets list page by paginating, or by applying filters. You can select or exclude buckets from the list based on the following properties:

Name - The name of the bucket.
Cloud - The name of the cloud storage provider.
Account ID (AWS specific) - The AWS account ID associated with this bucket.
Risk Names - The risk names associated with this bucket.
Risk Severity - The risk severity associated with this bucket.
Access - The level of access discovered for this bucket. Access levels include Readable, Writeable, and Editable Settings.
- Readable - Contents of the bucket might be read publicly.
- Writeable - Contents of the bucket might be editable.
- Editable Settings - Anyone can edit the read/write settings for this bucket.
Source - The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, Censys' method to discover potentially unknown buckets.
Association Date - The date range, inclusive, for when this bucket was first discovered.
Tag - Any tags you have applied to the asset.

Storage Bucket Details Page

Each bucket in the table links to a bucket details page with additional information.

Figure 5. Storage bucket details page

Overview

Figure 6. Storage bucket details page with overview card highlighted

In the Overview card of the page, general information about the bucket includes:

Cloud - The name of the cloud storage provider.
Account ID (AWS specific) - The AWS account ID associated with this bucket, if known.
Access - The access configuration for this bucket. Access levels include:
- Discoverable - Buckets can be found but not viewed or altered.
- Readable - Contents of the bucket might be read publicly.
- Writeable - Contents of the bucket might be editable.
- Editable Settings - Anyone can edit the read/write settings for this bucket.
URL - The URL associated with this bucket.
Region (AWS specific) - The geographic location housing this bucket.
Source - The source that uncovered this bucket. Sources include Cloud Connector, the integration provided by Censys to automatically identify your organization’s known buckets, and Censys Scan, Censys’s method to discover potentially unknown buckets.
Discover Date - The date when this bucket was first discovered.

Risks

The risks tab displays the count of risks associated with this storage bucket. Clicking the tab will open the list and to display more information.

Figure 7. Navigating to the storage bucket details view all risks button

Logbook

The Logbook card displays information from the logbook that is relevant to this storage bucket.

Figure 8. Storage bucket details page with logbook highlighted

Clicking the blue View All button expands the logbook to show all events related to this storage bucket since it has been added to your inventory.

Trail

The Trail card delineates the pivots that were used by Censys Scan to discover this storage bucket. The trail can be helpful in identifying why a storage bucket has been associated with your organization. Note that for storage buckets found by a Cloud Connector, the trail will not have multiple pivots to display.

Figure 9. Storage bucket details page with trail highlighted

Asset Management

Towards the top of the Software Bucket Details Page, you’ll find several buttons that you can use to manage this bucket.

Figure 10. Storage bucket details page with control section highlighted

Go to Access Controls (AWS specific) - Clicking this button navigates to the AWS console used to manage this bucket.
View Live - Clicking this button navigates your browser to the URL associated with this bucket.
Remove - If, after investigation, you decide that you would no longer like Censys to track this bucket for you, you can click the Remove button to remove it from your inventory. Buckets that have been removed are visible from the Excluded Assets page.

Use Cases

Remediate Risks with Known Buckets

The storage buckets list page can be used to conveniently manage risks associated with buckets that you own. You may find that a bucket you manage is unintentionally configured as Readable, Writeable, or with Editable Settings.

Readable - Contents of the bucket might be read publicly.
Writeable - Contents of the bucket might be editable.
Editable Settings - Anyone can edit the read/write settings for this bucket.

Figure 11. Storage bucket list page with access section highlighted

To remediate risks asociated with a bucket, click the bucket’s name to navigate to the details page.

Figure 12. Storage details page

Censys provides several workflows for remediating risks associated with a bucket. If this is an AWS S3 bucket that you have the credentials to manage, you can click the Go to Access Controls button in the upper-right corner of the screen to navigate directly to the AWS console used to manage this bucket.

Figure 13. Navigating to the storage bucket go to access controls button

If the risks associated with this bucket do not require immediate response, you can use the Add Tag or Add Comment buttons located near the top of the page to categorize or add a note to this bucket. These features enable you and your team to keep your inventory of buckets organized and secure.

Figure 14. Storage bucket details page with highlighted add tag and add comment buttons

Assess Buckets Discovered by Censys Scan

Storage Buckets discovered by Censys Scan are correlated to your organization’s DNS domain and subdomain names. By reviewing these buckets, you can verify their relevance to your organization and remediate any risks that they may pose.

To identify all buckets discovered by Censys Scan that may impact your security posture, you can filter your Storage Bucket inventory. By applying the filters Source is Censys Scan and Risk Names contain ExposedStorageBucket[AWS], Censys provides a list of buckets that pose risks and may be relevant to your organization.

Figure 15. Filtering risky storage buckets identified by censys scan

To remediate risky buckets discovered by Censys Scan, you can follow the same workflow as specified in the section Remediate Risks with Known Buckets.

If a bucket discovered by Censys Scan is not relevant to your organization, you can use the Remove button to remove it from your inventory. The Asset Management section provides more information on Remove functionality.

Other Articles In This Section