BYOK (bring your own key) is a trusted method for restricting access to data through encryption keys provided by end-users. We took this concept to the next level by adding support for “bring your own bucket” (BYOB). This new model represents an innovative, cloud native approach for providing users with better control over data. It helps solve a common problem for enterprises needing a higher level of data access control to meet regulatory, compliance, or internal security requirements.
Aqua CSPM (Cloud Security Posture Management) now lets customers use their own AWS S3 storage bucket (bring your own) to store raw response data gathered during our cloud infrastructure scan — instead of using a shared, multi-tenant bucket managed by Aqua.
Leveraging cloud native capabilities
We’ve leveraged cloud native technologies to implement this feature, which many enterprises looked for in traditional, non-cloud environments — even before there was a “cloud.” By using an S3 bucket, cross-account principals, and shared KMS keys (all based on AWS technologies) we've been able to uniquely apply this feature using resources already available in your cloud native environment, effectively taking advantage of the security and scalability offered by the cloud.
The entire feature is delivered using cloud native tools, and there are no agents to install. Today, we provide support for any cloud platform utilizing a single AWS account for the underlying storage resources. Support for BYOK using Azure Blob Storage or storage resources from other cloud platforms is planned for future releases.
Bring your own bucket in action
In a conventional Aqua CSPM data collection model, we would collect and store your infrastructure data in our own S3 bucket, which is segmented by your user identifier. This raw data contains the responses from the cloud provider API calls and is protected by several security controls including bucket policies, ACL restrictions, and server-side encryption. We would then feed that data into our backend processes and scanning plug-ins to create a scan report, which is visible within the Aqua CSPM console. Finally, as part of our standard data cleanup process, all the raw data collected will be deleted 36 hours later.
In this new model, we collect the data entirely within your cloud account and then save it to an S3 bucket — also located in your cloud account. This provides you and your enterprise with the ability to own and regulate the data. Once this feature is turned on, that data is also encrypted using a KMS key. This is important because you now have full control over the data itself, who has access to it, deletion policies, object lifecycle, and any audit policies, all of which now reside solely with you, the data owner.
Get more control over your data
Although our current data collection and storage process is already secure, you can more closely manage access to, and maintain full control of, the data being collected. This can help your enterprise maintain and prove demonstrable data access control for internal and external requirements. For example, you could create your own access login policy that logs and reports on all access to that storage bucket — as part of your own infrastructure controls — for every user, service, principle, policy or anything else that touched that data.
Your enterprise may need this level of control for contractual reasons (e.g., demands from customers) or you may be extra sensitive about where data is stored because you need to comply with some Regulatory Compliance control (e.g., data privacy). Or, you may have internal controls that require retaining full control over data access when working with SaaS providers.
Setup is easy
We supply you with a CloudFormation template that includes the necessary resources to deploy an S3 bucket, S3 bucket policy, and KMS key in your AWS account. As part of that deployment, the template automatically creates a policy, along with the bucket and key, which provides the necessary read/write and encrypt/decrypt permissions for us to perform the work. For most implementations, all it takes is 10 minutes to set up — just deploy the template and provide access to one of the template resources.
Although we maintain a separate database for your contact information, scan reports, summary data, etc., the raw data collected in your bucket is exclusively under your control. After set-up is complete, all you need to do is simply “flip a switch” to revoke all permissions to that raw data. You can then rest easy knowing that all access has been terminated.
BYOK and BYOB are available now
Aqua CSPM provides multi-cloud visibility, rapid remediation, and enterprise scalability to scan, validate, monitor, and remediate configuration issues in public cloud accounts. And for clients looking for more control over their data, our Premier Plan now contains everything you need to implement “bring your own” key and bucket.
