Exposure Evaluation

Prisma Cloud and the Cloud Service Provider both monitor the configuration of a bucket and access to the objects within. Exposure evaluation on Prisma Cloud Data Security determines the access level defined for an object within a bucket, that is who has access to the object, and whether the user(s) can download or exfiltrate content from a bucket. While on AWS, exposure is an attribute of the bucket or object in the Cloud Service Provider's (CSP) Storage service which allows applications and end users to access structured data for their use cases.
Prisma Cloud Data Security categorizes exposure levels as follows:
Exposure Level
Is a file/bucket accessible to everyone? If so this may be a potential risk and needs to be reviewed by the Customer.
The file/bucket is internal and not publicly accessible. This is the safest state to be in for the customer. However there may be legit reasons why some files are Public e.g. CDN web templates hosted by a server etc.
This usually applies to resources that have a Bucket policy attached to it allowing access when some set of conditions are met. These conditions are contextual and cannot be deterministically resolved as they may be specific to the customer’s environment.
Some examples include:
  • access to a bucket is only allowed/denied within a time window
  • access to a bucket is only allowed when there is a match on user principal or a specific set of users access this bucket.
  • Access to a bucket is allowed/denied if the client request IP matches a certain range mentioned as a whitelist.
How is Exposure Evaluated?
This is again dependent on each service provider but here we will look closer at AWS and S3 service. S3 access evaluation performs a least-privilege based evaluation. This means a default Deny, explicit Deny takes precedence over any Allow.
Bucket Exposure Evaluation
  • Normalize all controls into a Policy Document (i.e. Bucket ACL, Bucket Policy)
  • Evaluate all policy documents normalized above following the steps outlined above in the diagram. The evaluation is checked against a known set of S3 specific API methods/Actions to check for allow and/or deny.
    Supported Bucket Events are:
    • DeleteBucket
    • CreateBucket
    • DeleteBucketPolicy
    • PutBucketAcl
    • PutBucketPolicy
  • If the final result comes out to be that the bucket is publicly accessible i.e. either the whitelisted set of actions are allowed for everyone globally then the verdict is presented as Public.
  • If the final result is a Deny for the set of known actions against all policy documents for public users - then the verdict is considered Private.
  • If any of the policy document contains Conditional tags indicative of access to the resource under specific conditions, the verdict returned is Conditional. Here we expect feedback from the customer to evaluate the risk posture for the bucket.
Object Exposure Evaluation
  • The same steps are followed again as bucket exposure influences object exposure. In addition to the normalized bucket ACL and bucket policy we also normalize the object ACL and factor it into the evaluation.
    Supported Object Events are:
  • All steps for Bucket policy evaluation is followed again to determine the eventual exposure verdict of the file/object.

Recommended For You