New Threat Stack Feature: S3 File Integrity Monitoring

Threat Stack customers receive a great deal of value from our Linux File Integrity Monitoring (FIM), and we have now extended that capability to S3.

Many of our AWS customers are storing their critical files on S3, and for various security and compliance reasons, those files need to be monitored to see if any are being accessed, altered, or deleted.

To help ensure the integrity of the files in S3 buckets, Threat Stack now supports alerting on access and changes to files in specific buckets. AWS now has capabilities for putting object level access into CloudTrail events, and we have added rules to our base rule set to support that feature.

Event Names and User Actions

To create rules that monitor on particular actions on files, customers can use the associated CloudTrail name in their Threat Stack rules. The following table lists Event Names that are generated when specific User Actions occur.

User Action

CloudTrail Event Name

Download a file in a bucket

GetObject

Delete a file or upload a new file in a bucket

PutObject

Access the bucket

ListObjects

Access the policy of a bucket

GetObjectAcl

Upload a new policy on a bucket

PutObjectAcl

Access meta data on a bucket

HeadObject 


New Threat Stack FIM Features

Alerts

The Threat Stack base rule set has been updated to alert when files in critical buckets are accessed or deleted:

eventName = “PutObjectAcl” or eventName = “GetObjectAcl” or eventName = “GetObject” or eventName = “PutObject” or eventName = “ListObjects” or eventName = “HeadObject”) and bucketName = “xxx”  

Customers  need to replace xxx with the bucket name that they want to monitor.

Search

In addition to creating alerts, customers can also search on corresponding events:

fim-search.png

 

Final Word . . .

We’re continually adding to and improving the Threat Stack Cloud Security Platform®. Stay tuned to our blog to learn about new and enhanced features as they are released.