Data Intelligence for AWS Storage Environments

Cloud Storage Security is excited to share that customers now have access to Storage Assessment functionality. Designed to enhance data intelligence, Storage Assessment answers questions like “How much data do I have?”, “In what regions is it located?”, “What encryption coverage do I have?” and “How many buckets are open to the public?” by providing the following data points:

Reported Data

S3 Environment Overview

  • Total amount of data (aka S3 size)

  • Total number of objects

  • How many buckets and regions are enabled with Storage Assessment

  • Total number and percent of objects scanned by CSS

  • Total number and percent of objects encrypted

  • 10 largest buckets (based on GB) and the percent scanned as well as percent encrypted

Bucket Information

  • Number of public and private buckets by region

  • Number of encrypted and unencrypted buckets by region

  • Percent of objects scanned by region

  • Percent of encrypted objects by region

File Information

  • Top 10 file types by size

  • Top 10 file types by count

  • File age breakdown of all files in your S3 environment

Trends

  • Bucket object count by date

  • Bucket size by date

  • Percent scanned of each bucket by day

This information is useful because it provides the detail needed to maintain a secure storage environment.  

For example, with AWS’s release of automated server-side encryption, all new objects in Amazon Simple Storage Service are encrypted by default from  January 2023 onward.  With data points that drill down into each bucket to tell you the percentage of encrypted objects and file age breakdown, Storage Assessment can help you investigate and manage buckets containing unencrypted files older than Jan 2023. 

Another notable way in which Storage Assessment helps customers enhance cloud security is by providing a tally of how many public buckets exist by region, making it easy to identify whether the counts are inline with expectations or if bucket access should be evaluated.

Storage Assessment also quantifies how much data you have within S3, a key data point that can be used when estimating scanning throughput and how to scale as well as total cost of ownership

Storage Assessment is accessible under Monitoring in the application’s main menu. Data is filterable by bucket, region, account, and/or date. The time frame for which data is reported on is listed below the filters. 

Storage Assessment Report in CSS Console

 

Pricing Considerations

Storage Assessment manually crawls your buckets, gathering information about file size, last modified date, encryption status, and file type, to provide an initial overview of all of the files you have stored in Amazon S3. After that initial crawl, an S3 Inventory configuration report is leveraged to continue to assess the data.

AWS’s inventory configuration report is generated once a day by AWS and provides a snapshot of your bucket contents including file name, size, last modified date, encryption status, storage class, and intelligent tiering access tier as well as the name of the bucket it resides in. 

Both the crawl and S3 Inventory have minimal charges associated with them:

  • The initial crawl will invoke LIST calls to gather all of the objects associated with your S3 buckets. AWS charges $0.005 per thousand list calls and you receive 1,000 objects per list call. This means crawling 1 million objects costs $0.005.

  • Storage Assessment generates nightly S3 inventory reports (in the future this will be configurable). AWS charges $0.0025 per million objects listed for an S3 inventory report.

  • If you want to calculate the number/percent of objects scanned, this functionality performs GET calls for each object. GET calls cost $0.40 per million objects. The frequency of this calculation is configurable within the Storage Assessment settings.

 

Getting Started

Cloud Storage Security solutions are deployed using a CloudFormation Template that includes an “Enable Storage Assessment” parameter that can be turned on or off. If the app is installed without Storage Assessment and you want to turn it on later, it can be enabled from within the Console Settings page. 

Storage Assessment is enabled by default for existing customers who upgrade the console to the latest release through the standard console upgrade process. To disable this feature at upgrade, manually update the stack and turn the dropdown selection to False. 

Learn more about enabling or disabling Storage Assessment in the CSS Help Docs.


Contact us to discuss Storage Assessment further or start a free trial of Antivirus for Amazon S3 or Data Classification for Amazon S3 to access Storage Assessment functionality.