How do you prevent unauthorized corporate data exfiltration to S3 buckets?
If you leverage AWS Direct Connect to transfer files and objects to S3, the current solution is to use public VIF where AWS advertises the entire S3 public address ranges to on-prem. The implication is that all on-prem users can upload to any S3 bucket, including to their personal S3 buckets on their own personal accounts, allowing confidential and intellectual property to leave your organization. The current situation is described below.
Figure 1 – S3 CIDR ranges open in region
In Aviatrix 5.3 (Released Feb 17, 2020), a new feature ‘PrivateS3’ provides the ability to institute a policy by whitelisting only the S3 buckets that can receive data securely from On-Prem. Many organizations and SOC teams benefit by controlling the S3 buckets that receive requests, dropping all packets to those not whitelisted.
Figure 2 – Securing S3 using Aviatrix PrivateS3
Key Business Outcomes:
Mitigating the ability of bad actors within the organization to perform Data Exfiltration to their own personal S3 buckets.
- Intellectual Property
- Sensitive Customer Data
- Confidential Corporate owned artifacts
Corporate governance and control over which S3 buckets can be accessed over Direct Connect from On-Prem or from within sensitive VPCs.
Transfer data between on-prem and S3 using Direct Connect without public VIF.
The ability to deploy multiple Aviatrix gateways to load balance the data traffic into S3 buckets.
- Large data loading operations, such as Snowflake data stage and other data migration operations into S3.
PrivateS3 solution deployment is a simple operation initiated using the Aviatrix Controller. Once deployed, a DNS record should be added to On-Prem DNS to point to the Aviatrix Gateways which will mitigate the possibility of Data Exfiltration using S3 over Direct Connect.