Extra Quality | Filecatalyst+leak

| Recommendation | Rationale | Implementation Steps | |----------------|-----------|----------------------| | | Verify that no bucket is publicly accessible. | • Run aws s3api get-bucket-acl for each bucket. • Use AWS Config rule s3-bucket-public-read-prohibited . • Document ownership and purpose. | | Enforce Least‑Privilege IAM Policies | Prevent unauthorized writes/reads. | • Use IAM roles scoped to specific prefixes ( fc/staging/<customer-id>/ ). • Rotate IAM credentials quarterly. | | Enable Server‑Side Encryption (SSE‑S3 or SSE‑KMS) | Protect data at rest even if bucket is accidentally exposed. | • Set bucket default encryption. • Require KMS keys for sensitive workloads. | | Integrate Cloud‑Native DLP | Detect and block upload of PII or confidential files to staging. | • Deploy Amazon Macie with custom identifiers for CAD files, media assets, etc. • Set alerts on policy violations. | | Adopt Signed URL Expiration ≤ 15 minutes | Limits exposure window if URLs are leaked. | • Adjust FileCatalyst configuration to generate short‑TTL URLs. • Review and test expiration behavior. | |

| Monitoring Layer | Status Pre‑Incident | Gap | |------------------|--------------------|-----| | | No automated inventory of S3 bucket ACLs. | Missed public‑read flag. | | Data‑loss‑prevention (DLP) | DLP policies applied only to on‑prem file shares. | No coverage for cloud staging. | | FileCatalyst logs | Logs recorded transfer events, not bucket policies. | No alert for insecure configuration. | | Third‑party security tools | No active Amazon Macie or AWS Config rules. | Missed classification of sensitive data in public bucket. | filecatalyst+leak

FileCatalyst (formerly , acquired by Open Text in 2021) provides high‑speed file transfer and acceleration over wide‑area networks. Core capabilities include: | Recommendation | Rationale | Implementation Steps |