Configure Aperture Security Controls

Aperture Security Controls allow you to define and enforce policy rules for monitoring settings and activities so that you can automatically detect and remediate risks around data exfiltration, exposure, or risky user behavior. For example, you can create a policy that sends an email alert or creates a log entry when a user forwards a corporate email to a personal email address or when a security key pair rotation does not follow defined policies. Security Controls include a robust set of match criteria that allow you to precisely define which settings and activities to track.
po-configure-security-controls.png
The Aperture service supports the following types of security controls:
Security Control Name
Action
Administrative Access of End Users Inbox
Identifies administrators who have access to an end users inbox. The Admin Email lists the email address of the administrator and the User Email lists the email address of the user whose inbox can be accessed by the administrator.
Email Forwarding Rule
Identifies Corporate emails that are forwarded to personal email domains. Rule Name identifies the email forwarded and the email address is listed in Forwarded Email Address.
Email Public Folder
Identifies exposed public folders that users can access within the Enterprise, and Folder Name and Folder Owner to exclude.
Email Retention
Identifies user-generated email retention settings that vary from the Corporate Administrator policy settings.
Inbound Accessible Services
Identifies Inbound Security Groups that have access to specific services and ports that are scanned in AWS.
Key Rotation
Sends an alert for keys that have not been rotated within a specific time frame such as one week, one month, three months, or one year.
Multi-Factor Authentication
Identifies users and sends an alert when they log in to the SaaS application without multi-factor authentication.
Non-Standard Amazon Web Services EC2 Appliance (AMI)
Identifies AMIs that are not trusted by the organization and sends an alert on non-standard AMIs.
Outbound Accessible Services
Identifies Outbound Security Groups that have access to specific services and ports that are scanned in Amazon Web Services.
Password Policy
Checks the password (such as complexity, reuse, or expiration) against the password policy and sends an alert when there is a discrepancy.
Unencrypted Storage
Identifies and alerts on Elastic Block Storage
(EBS) storage volumes that are not encrypted.

Related Documentation