API Secure: AWS Read-Only Access

In order for API Inspect to deliver its continuous discovery service on Amazon Web Services (AWS) environments, Data Theorem strictly follows Amazon’s guidance only. The following is a detailed overview on how AWS provides Read-Only access to third parties for auditing and monitoring. By Design,

• Data Theorem will not have access to any data
• Data Theorem will not have any in-line access to traffic
• Data Theorem will not have any “Write” access
• Data Theorem will not have an “account”, but rather a resource role

Using the least privilege model, Data Theorem only requires access to the following read-only AWS policies and role:

• Read only access to API Gateway g. "Action": ["apigateway:GET"]
• Permission to Amazon’s SecuritAudit role

Below describes the SecurityAudit role policy maintained and supplied by Amazon:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor

AWS managed policy name: SecurityAudit

Use case: This user monitors accounts for compliance with security requirements. This user can access logs and events to investigate potential security breaches or potential malicious activity.

Policy description: This policy grants permissions to view configuration data for many AWS services and to review their logs.

As a leading application security company protecting some of the largest and most valued companies in the world, Data Theorem maintains strict procedures that are audited by independent third parties to ensure our customers’ privacy and data are kept confidential.

From AWS Administration standpoint, customers can monitor Data Theorem’s activities within AWS by enabling CloudTrail logging. CloudTrail is an AWS service that captures a log of all API calls for a given AWS account, and its services. Using CloudTrail, customers can monitor and conduct post-incident forensic investigations of AWS with an audit trail of all activities across a customer’s infrastructure. All CloudTrail logs files are stored in a dedicated S3 bucket.

To obtain additional details on the access level privileges of the SecurityAudit role (e.g. version 26 policy is the latest default policy), please access the following link from AWS:

• https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/SecurityAudit$serviceLevelSummary

In summary, here are some important points to keep in mind:

1. Using the SecurityAudit role policy provides a managed policy maintained and supplied by Amazon that should evolve and improve as additional services are created within AWS.
2. The SecurityAudit role policy is Amazon’s recommended approach for allowing read-only access to third parties for security monitoring.
3. Data Theorem activities within AWS are logged via CloudTrail for tracking and auditing purposes, if needed.
4. Data Theorem designs its software to avoid accessing any data stored within its customer databases and file systems by default.
5. Data Theorem security practices are frequently audited by independent third parties to ensure our customers’ privacy and data are kept confidential.