Auditing Your Backup Storage on Exoscale

Auditing Your Backup Storage on Exoscale

Profile picture for user AndrewAbwoga
Andrew Abwoga
13 August 2020

Exoscale’s S3 compatible storage gives you a wide array of options if you have to decide about the storage client that you are going to use. Unfortunately, Exoscale does not support security features like access logging, bucket policy, and bucket event notification. But aside from these, you get the support of other key security features such as Identity and Access Management (IAM) and Access Control List (ACLs) that can help you secure and keep track of access to your backup storage. You can also use other client-based setups to keep track of activities on your backup storage as we shall see.

Identification and Authentication

API Keys 

When accessing storage or other services from Exoscale’s platform you can make use of API keys. There are two types of API Keys on Exoscale, which are; User keys and IAM API Keys. 

User Keys

User Keys are specifically tied to your user account and the organization that you are in. Colleagues within your organization will have keys that are different from yours, and you will have different keys across for every organization that you are in.

User Keys are generated the moment you create an organization. To find your user keys: 

  1. Choose your organization on the top right corner of Exoscale’s management console.
  2. Go to Account -> Profile -> User Keys.

Exoscale recommends that you use User Keys for quick access to services when you are getting started with Exoscale. They recommend that you use the API Keys for more complex/programmatic operations.

IAM API Keys

Exoscale’s API keys give you the benefit of defining fine-grained permission controls. The keys can be generated using the management console or the exo cli. 

To create a new API key using exo cli you can use the command as below:

$ exo iam apikey create yourapikey

This will create an unrestricted key that you can use all of your operations to Exoscale’s services.

To create a restricted key to your object storage you can make use of the --operation parameter as below:

$ exo iam key apikey create key-restricted-to-bucket-name --operation “sos/getObject,sos/listBucket” --resource “sos/bucket:bucket-name”

The command above will restrict the keys to a specific bucket.

If you are using Backup Ninja you will have to specify the access key and secret key that you have generated as illustrated below.

Backup Ninja

Authorization

Access Control Lists (ACLs)

ACLs can get you to define specific permission at the bucket level and a single object level. Specifying permissions that way will allow you to specify a granular access policy that will be applied to your backup storage. You should also note that ACL’s are not inherited from parent objects are should be specified on individual objects.

Create an ACL

There are three ways that you can create ACLs. 

  • Using the Quick ACL menu you can specify ACLs for files or buckets.
  • You can also Edit ACLs manually by navigating through Account -> Profile -> API Keys
  • You can also use the s3cmd tool to set ACLs on objects using the options shown below:

 

  • --acl-public
  • --acl-private
  • --acl-grant=PERMISSION:ORGANIZATION_ID

     Below is an example of a command that you can use to apply the above ACL’s.

$ s3cmd setacl --acl-public s3://<bucket>/<object>

By using the ACL’s as described above you can specify any of the preset ACLs at the bucket level as shown below:

  • Private
  • Public-read
  • Public-read-write
  • Authenticated-read

View an ACL

To view ACLs applied on an object/bucket you can use the commands below:

$ s3cmd info s3://<bucket>/<object>/

Delete an ACL

To delete ACLs on an object, you need to edit the Object. You can do this by:

  1. Clicking on the Storage Menu.
  2. Navigate to the Object.
  3. Click on the Edit icon on the Object.
  4. Click on the Quick ACL menu and choose Private to revert to default settings.
  5. Finally, you can use the Manual Edit button to delete a specific entry.

Audit Logging

Unfortunately, logging is not supported on Exoscale, and in that case, you may be forced to seek other alternative methods to keep track of your storage activities. The most plausible means to take care of logging is by using a reverse proxy to your backup storage or a controlled client environment. Exoscales Storage API can help you create a client-setup that can help you to achieve logging programmatically. Should that be the case,  you may need to employ some programming skills to implement audit logging.

Backup Ninja also provides a controlled client environment for your file and database backups such that you can keep track of activities on the point of origin of your backups, your database server or some other server, onto your cloud or on-premise storage. With Backup Ninja, you get access to a web console that gives you a centralized view of all your backup storage activities.

Conclusion

  1. Keep your secret keys secret.
  2. Use a dedicated/customized client for audit logging for your backup storage operations in case the cloud provider does not provide a storage logging facility.
  3. Ensure you don’t expose your backup storage to the public if you don’t need to.
  4. Always review your ACLs to ensure that only users with appropriate permissions have access to your backup storage.