{"id":18400713,"url":"https://github.com/databricks/security-bucket-brigade","last_synced_at":"2025-07-17T03:08:40.263Z","repository":{"id":66099389,"uuid":"248300705","full_name":"databricks/security-bucket-brigade","owner":"databricks","description":null,"archived":false,"fork":false,"pushed_at":"2023-03-30T20:12:33.000Z","size":4014,"stargazers_count":31,"open_issues_count":0,"forks_count":4,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-07-10T16:52:26.142Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/databricks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-03-18T17:38:40.000Z","updated_at":"2025-06-28T12:54:00.000Z","dependencies_parsed_at":"2023-04-13T20:47:43.678Z","dependency_job_id":null,"html_url":"https://github.com/databricks/security-bucket-brigade","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/databricks/security-bucket-brigade","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks%2Fsecurity-bucket-brigade","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks%2Fsecurity-bucket-brigade/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks%2Fsecurity-bucket-brigade/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks%2Fsecurity-bucket-brigade/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/databricks","download_url":"https://codeload.github.com/databricks/security-bucket-brigade/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databricks%2Fsecurity-bucket-brigade/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265562326,"owners_count":23788507,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T02:36:13.825Z","updated_at":"2025-07-17T03:08:40.258Z","avatar_url":"https://github.com/databricks.png","language":"JavaScript","readme":"# Bucket Brigade\n\nWhat do you do in the face of sensitive data exposure in public-facing S3 buckets? Call in the **Bucket Brigade**\n\n---\n\n**Quick Start**: To get immediate real-time monitoring enabled for your public S3 buckets, go [here](./Tools/s3-secrets-scanner/README.md).\n\n---\n\nAfter experiencing a potential accidental exposure of sensitive information in one of our intentionally public S3 buckets, we realized a full audit of our bucket policies and process was in order. What resulted was a lengthy process of back-and-forth communications, negotiations with account owners, policy definitions, and tool development.\n\nHoping to help others avoid the same things that slowed us down, we're sharing not only the tools we created/used, but also the process and communications. This repository provides a wholistic approach to solving the problem of, \"How do I get on top of secrets in my public S3 buckets and stay on top?\" Each portion of the solution is broken into parts within this repository.\n\nStart with the [Solution Write-up](./Documents/Solution-Write-up.md) in the \"Documents\" section below for an overview of the phases in the solution we created, and then use the communication templates and tools to implement your approach to a secure S3 state.\n\n## Documents\n\n1. [Solution Write-up](./Documents/Solution-Write-up.md)\n\n## Policies\n\n- [Public Access Block for Cloud Resources](./Documents/Cloud-Custodian-Policy.md)\n- [Exception for Public Access Block](./Documents/Public-Access-Exception-Policy.md)\n- [Cloud Tagging Policy](./Documents/Cloud-Tagging-Policy.md)\n\n## Communications\n\n- ✉️ Cloud Custodian Public Access Block ([Leadership](./Communications/Custodian-Public-Access-Block-Leadership_Email-Template.md), [General](./Communications/Custodian-Public-Access-Block-General_Email-Template.md))\n- ✉️ \"Owner\" Tag Enforcement ([Leadership](./Communications/Tag-Enforcement-Leadership_Email-Template.md), [General](./Communications/Tag-Enforcement-General_Email-Template.md))\n\n## Tools\n\n1. **[S3 Scan](./Tools/s3_scan/README.md)**\n1. **[S3-Secrets-Scanner](./Tools/s3-secrets-scanner/README.md)**\n1. **[Cloud Custodian Policies / Functions](./Tools/CloudCustodian/README.md)**\n\n## Related Tools / Resources\n\n- [Cloud Custodian](https://cloudcustodian.io/docs/index.html?button=documentation)\n\n  \"Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their public cloud accounts into one open source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for clouds infrastructure. It integrates tightly with serverless run-times to provide real time remediation/response with low operational overhead.\"\n\n- [JupiterOne](https://jupiterone.com/)\n\n  JupiterOne is a tool for centralizing security operations and compliance for cloud platforms. In the context of this project, it provides a way to inventory AWS resources - even across multiple AWS accounts - and query the state. Once configured, a simple query can show which buckets are publicly exposed.\n\n- [Cartography](https://github.com/lyft/cartography/)\n\n  Cartography is an open source tool that provides the ability to inventory AWS resources in an easy-to-query graph. This tool is an open-source alternative to JupiterOne.\n\n- YAR: Git Secret Scanner _(No longer available)_\n\n  YAR was designed to be a Github scanning tool, to scan the complete commit history of a repo for secrets. Our team repurposed it internally to do quick bucket scanning by cloning the bucket and initializing a Git repo at the root. This provided a simple way to use the existing pattern matching to find secrets with only small modifications.\n\n## License\n\nThis repository, all documents and underlying tools are licensed under the [MIT license](./LICENSE.txt), with the exception of the [S3 Scan](./Tools/s3_scan/README.md) tool, which is licensed under [GPL v3 license](./Tools/s3_scan/LICENSE.txt), consistent with the licensing for the YAR tool it uses.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabricks%2Fsecurity-bucket-brigade","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatabricks%2Fsecurity-bucket-brigade","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabricks%2Fsecurity-bucket-brigade/lists"}