Visualize your AWS storage and security configuration
This guide demonstrates how to set up a monitoring solution to gain visibility into security configurations from your AWS S3 and RDS instances using Port's AWS integration.
Common use casesโ
- Identify publicly accessible S3 buckets to prevent accidental data exposure.
- Track RDS instances with weak or missing encryption settings.
Prerequisitesโ
This guide assumes the following:
- You have a Port account and have completed the onboarding process.
- Port's AWS integration is installed in your account.
Set up data modelโ
When installing the AWS integration in Port, the AWS Account blueprint is created by default.
However, the S3 and RDS Instance blueprints are not created automatically so we will need to create them manually.
Create the S3 blueprintโ
-
Go to the Builder page of your portal.
-
Click on
+ Blueprint. -
Click on the
{...}button in the top right corner, and chooseEdit JSON. -
Add this JSON schema:
AWS S3 blueprint (Click to expand)
{
"identifier": "awsS3Bucket",
"description": "This blueprint represents an AWS S3 bucket in our software catalog",
"title": "S3",
"icon": "Bucket",
"schema": {
"properties": {
"link": {
"type": "string",
"format": "url",
"title": "Link"
},
"regionalDomainName": {
"type": "string",
"title": "Regional Domain Name"
},
"versioningStatus": {
"type": "string",
"title": "Versioning Status",
"enum": [
"Enabled",
"Suspended"
]
},
"encryption": {
"type": "array",
"title": "Encryption"
},
"lifecycleRules": {
"type": "array",
"title": "Lifecycle Rules"
},
"publicAccessConfig": {
"type": "object",
"title": "Public Access"
},
"tags": {
"type": "array",
"title": "Tags"
},
"arn": {
"type": "string",
"title": "ARN"
},
"region": {
"type": "string",
"title": "Region"
},
"blockPublicAccess": {
"type": "boolean",
"title": "Block Public Access"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {
"account": {
"title": "account",
"target": "awsAccount",
"required": false,
"many": false
}
}
} -
Click
Saveto create the blueprint.
Create the RDS instance blueprintโ
-
Go to the Builder page of your portal.
-
Click on
+ Blueprint. -
Click on the
{...}button in the top right corner, and chooseEdit JSON. -
Add this JSON schema:
AWS RDS instance blueprint (Click to expand)
{
"identifier": "rdsInstance",
"description": "This blueprint represents an AWS RDS DBInstance in our software catalog",
"title": "RDS Instance",
"icon": "AWS",
"schema": {
"properties": {
"link": {
"type": "string",
"format": "url",
"title": "Link"
},
"dbInstanceClass": {
"type": "string",
"title": "DB Instance Class"
},
"dbInstanceStatus": {
"type": "string",
"title": "DB Instance Status"
},
"engine": {
"type": "string",
"title": "Engine"
},
"storageType": {
"type": "string",
"title": "Storage Type"
},
"engineVersion": {
"type": "string",
"title": "Engine Version"
},
"port": {
"type": "number",
"title": "Port"
},
"allocatedStorage": {
"type": "number",
"title": "Allocated Storage"
},
"endpoint": {
"type": "string",
"title": "Endpoint"
},
"multiAZ": {
"type": "boolean",
"title": "Multi-AZ"
},
"deletionProtection": {
"type": "boolean",
"title": "Deletion Protection"
},
"availabilityZone": {
"type": "string",
"title": "Availability Zone"
},
"masterUsername": {
"type": "string",
"title": "Master Username"
},
"publicAccess": {
"type": "boolean",
"title": "Public Access"
},
"vpcSecurityGroups": {
"type": "array",
"items": {
"type": "string"
},
"title": "VPC Security Groups"
},
"arn": {
"type": "string",
"title": "ARN"
},
"storageEncrypted": {
"type": "boolean",
"title": "Storage Encrypted"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {
"account": {
"title": "Account",
"target": "awsAccount",
"required": true,
"many": false
}
}
} -
Click
Saveto create the blueprint.
Update integration mappingโ
-
Go to the Data Sources page of your portal.
-
Select the AWS integration.
-
Add the following YAML block into the editor to ingest storage data from AWS:
AWS integration configuration (Click to expand)
deleteDependentEntities: true
createMissingRelatedEntities: true
enableMergeEntity: true
resources:
- kind: AWS::Organizations::Account
selector:
query: 'true'
port:
entity:
mappings:
identifier: .Id
title: .Name
blueprint: '"awsAccount"'
properties:
arn: .Arn
email: .Email
status: .Status
joined_method: .JoinedMethod
joined_timestamp: .JoinedTimestamp | sub(" "; "T")
- kind: AWS::S3::Bucket
selector:
query: 'true'
useGetResourceAPI: true
port:
entity:
mappings:
identifier: .Identifier
title: .Identifier
blueprint: '"awsS3Bucket"'
properties:
regionalDomainName: .Properties.RegionalDomainName
encryption: .Properties.BucketEncryption.ServerSideEncryptionConfiguration
lifecycleRules: .Properties.LifecycleConfiguration.Rules
publicAccessConfig: .Properties.PublicAccessBlockConfiguration
blockPublicAccess: >-
.Properties.PublicAccessBlockConfiguration | (.BlockPublicAcls and
.IgnorePublicAcls and .BlockPublicPolicy and
.RestrictPublicBuckets)
tags: .Properties.Tags
arn: .Properties.Arn
region: .Properties.RegionalDomainName | capture(".*\\.(?<region>[^\\.]+)\\.amazonaws\\.com") | .region
link: .Properties | select(.Arn != null) | "https://console.aws.amazon.com/go/view?arn=" + .Arn
relations:
account: .__AccountId
- kind: AWS::RDS::DBInstance
selector:
query: 'true'
useGetResourceAPI: 'true'
port:
entity:
mappings:
identifier: .Identifier
title: .Properties.DBInstanceIdentifier
blueprint: '"rdsInstance"'
properties:
link: 'https://console.aws.amazon.com/go/view?arn=' + .Properties.DBInstanceArn
dbInstanceClass: .Properties.DBInstanceClass
dbInstanceStatus: .Properties.DBInstanceStatus
engine: .Properties.Engine
storageType: .Properties.StorageType
engineVersion: .Properties.EngineVersion
port: .Properties.Endpoint.Port
allocatedStorage: .Properties.AllocatedStorage
endpoint: .Properties.Endpoint.Address
multiAZ: .Properties.MultiAZ
deletionProtection: .Properties.DeletionProtection
availabilityZone: .Properties.AvailabilityZone
masterUsername: .Properties.MasterUsername
publicAccess: .Properties.PubliclyAccessible
vpcSecurityGroups: .Properties.VpcSecurityGroups
arn: .Properties.DBInstanceArn
storageEncrypted: .Porperties.StorageEncrypted
relations:
account: .__AccountId -
Click
Save & Resyncto apply the mapping.
Visualize metricsโ
Once the AWS storage data is synced, we can create a dedicated dashboard in Port to monitor and analyze security configurations and access controls using customizable widgets.
Create a dashboardโ
- Navigate to the Catalog page of your portal.
- Click on the
+ Newbutton in the left sidebar. - Select New dashboard.
- Name the dashboard AWS Storage Security Overview.
- Select the
AWSicon. - Click
Create.
We now have a blank dashboard where we can start adding widgets to visualize security insights from our AWS storage.
Add widgetsโ
In the new dashboard, create the following widgets:
RDS by availability zone (click to expand)
-
Click
+ Widgetand select Pie chart. -
Title:
RDS by availability zone(add theAmazonRDSicon). -
Choose the RDS Instance blueprint.
-
Under
Breakdown by property, select the Availability Zone property
-
Click Save.
RDS by public access (click to expand)
-
Click
+ Widgetand select Pie chart. -
Title:
RDS by public access(add theAmazonRDSicon). -
Choose the RDS Instance blueprint.
-
Under
Breakdown by property, select the Public Access property
-
Click Save.
Unprotected RDS by engine (click to expand)
-
Click
+ Widgetand select Pie chart. -
Title:
Unprotected RDS by engine(add theAmazonRDSicon). -
Choose the RDS Instance blueprint.
-
Under
Breakdown by property, select the Engine property. -
Add this JSON to the Additional filters editor to filter unprotected RDS instances:
[
{
"combinator":"and",
"rules":[
{
"property":"deletionProtection",
"operator":"=",
"value":false
}
]
}
]
-
Click Save.
RDS without SSL (click to expand)
-
Click
+ Widgetand select Number Chart. -
Title:
RDS without SSL(add theAmazonRDSicon). -
Select
Count entitiesChart type and choose RDS Instance as the Blueprint. -
Select
countfor the Function. -
Add this JSON to the Additional filters editor to filter RDS instances without SSL configuration:
[
{
"combinator":"and",
"rules":[
{
"property":"storageEncrypted",
"operator":"=",
"value":false
}
]
}
]
-
Click
Save.
S3 buckets by public access (click to expand)
-
Click
+ Widgetand select Pie chart. -
Title:
S3 by public access(add theS3icon). -
Choose the S3 blueprint.
-
Under
Breakdown by property, select the Block Public Access property
-
Click Save.
Unencrypted S3 buckets (click to expand)
-
Click
+ Widgetand select Number Chart. -
Title:
Unencrypted S3 buckets(add theS3icon). -
Select
Count entitiesChart type and choose S3 as the Blueprint. -
Select
countfor the Function. -
Add this JSON to the Additional filters editor to filter S3 buckets without encryption configurations:
[
{
"combinator":"and",
"rules":[
{
"property":"encryption",
"operator":"isNotEmpty"
}
]
}
]
-
Click
Save.