Customer-Owned AWS Buckets

Our platform runs on Amazon Web Services (AWS). The data that gets submitted to create the reports wich our system builds for you is stored on AWS’s Simple Storage Service (S3). We have the option for that data to be stored on your own S3 bucket rather than ours. All of the requests for that data then must pass through the “S3 Gatekeeper”.

The S3 Gatekeeper is a piece of code that now sits at the heart of v0.4 of the helpdeskbuttons software. The job of the gatekeeper is to cryptographically verify every request that passes through it. It is the sole means by which data is sent to the S3 buckets and by which data leaves the S3 buckets. Each transaction (Either a GetObject or PutObject) requires two digital signatures. One of the signatures is generated by us, on our servers. The other one is generated by the gatekeeper, which sits on the AWS account owned by the customer. We decide whether to sign the request based on the authentication to our website. The gatekeeper decides based on a user-configurable ACL. The ACL supports IP based whitelisting and blacklisting.

We designed the report page so that all of the communication with the gatekeeper is done client-side and fetched with JavaScript. JavaScript then renders the page.

The end result is that you can blacklist even OUR servers IPs and everything continues to function as it should. Moreover, every transaction that takes place on the gatekeeper is put into a searchable audit log database that the customer has full control of in their AWS account.

We have open-sourced the gatekeeper codebase on our GitHub page. because we want encourage peer-review of this vital piece of security software and we want the customers to know without a doubt that there are no loopholes and that their data is as safe as it should be.

If you are interested in moving to your own bucket please contact support.