Customer Controlled Amazon S3

Our platform runs on Amazon Web Services (AWS). The data that gets submitted to create the reports, which our system builds for you, is stored on AWS’s Simple Storage Service (S3). We have the option for that data to be stored on your own S3 bucket rather than ours. All of the requests for that data then must pass through the “S3 Gatekeeper”.

The information is securely transmitted (HTTPS/TLS) and stored encrypted (AES256) in the cloud on the Amazon Web Services (AWS) storage platform: Amazon S3 (S3). By default, the data is stored on a set of S3 buckets that are controlled by Tier 2 Tickets. Upon request, we can change this hosting to an AWS instance that is owned and controlled by the customer.

For the software to function, we want the ability to access these files so ticket reports have the data they need, but we also want to bar any unauthorized access. In comes the Gatekeeper.

S3 Gatekeeper

The S3 Gatekeeper is a piece of code that now sits at the heart of the Tier 2 Tickets™ software. The job of the gatekeeper is to cryptographically verify every request that passes through it. It is the sole means by which data is sent to the S3 buckets and by which data leaves the S3 buckets. We took some pages out of Bitcoins’ playbook and implemented Miltisig. Each transaction (either a GetObject or PutObject) requires two digital signatures. One of the signatures is generated by us on our servers. The other one is generated by the gatekeeper, which sits on the AWS account owned by the customer. We decide whether to sign the request based on the authentication to our website. The gatekeeper decides based on a user-configurable ACL. The ACL supports IP based whitelisting and blacklisting.

We could have switched to just pulling that content from the gatekeeper, but then your data would have needed to flow through our servers to get rendered. That would just not do; we should not access your data ever. So we designed the report page so that all of the communication with the gatekeeper is done client-side and fetched with JavaScript. JavaScript then renders the page.

The end result is that you can blacklist even OUR servers’ IPs and everything continues to function as it should. Moreover, every transaction that takes place on the gatekeeper is put into a searchable audit log database that the customer has full control of in their AWS account.

We have open-sourced the gatekeeper codebase on GitHub because we want to encourage peer-review of this vital piece of security software and we want the customers to know, without a doubt, that there are no loopholes and that their data is as safe as it should be. We also think the gatekeeper concept can help other products from other companies keep customer data safe and help meet regulatory compliances around the world.

Apart from logging into the S3 bucket directly, the only access anyone has with the data is through the Gatekeeper. This access is limited to countries that we operate in by default, (United States & Canada, United Kingdom, Australia, New Zealand, Ireland, Netherlands,) and is customizable.

If you are interested in moving to your own bucket please contact support.