How Datadog Determines if Resources are Publicly Accessible

Docs > Datadog Security > Cloud Security Management > Cloud Security Management Guides > How Datadog Determines if Resources are Publicly Accessible

Datadog uses a graph processing framework to map relationships between cloud resources to determine whether they are accessible from the internet. This guide outlines the logic used to classify resources as publicly accessible within the graph framework.

For more information on network reachability, see the AWS documentation and the AWS Network Reachability Analyser. Currently, the Is Publicly Accessible facet is only available for AWS resources.

Resource dependency graph

The following diagrams show how related resources are used to determine whether other resources are publicly accessible. For example, an AWS CloudTrail Trail stored in a public Amazon S3 bucket is itself publicly accessible. If a resource is publicly accessible because of another resource, the relationship is shown in the Cloud Security Management Misconfigurations resource relationships graph.

Note: Not all resources with the Publicly Accessible attribute are shown in these diagrams.

AWS

A graph diagram showing the relationships between resources that are used to determine public accessibility for AWS

Azure

Google Cloud

AWS public accessibility logic by resource

Amazon S3 bucket

An S3 bucket (aws_s3_bucket) is considered publicly accessible if:

Criteria	Explanation
The bucket policy allows the `s3:GetObject` permission unconditionally, with resource and principal set to `"*"`.	This defines a public policy on the bucket, meaning that unauthenticated access is allowed. `"*"` is a wildcard, meaning access is given to any resource and principal.
None of the bucket’s `public_access_block_configuration` and the AWS account’s public access block (`aws_s3_account_public_access_block`) have `restrict_public_buckets` set to `true`.	None of the buckets or accounts explicitly block public access, meaning that the public bucket policy takes effect.

See Blocking public access to your Amazon S3 storage for more information.

AWS CloudTrail trail

A CloudTrail trail (aws_cloudtrail_trail) is considered publicly accessible if:

Criteria	Explanation
The trail’s `s3_bucket_name` is set to an S3 bucket that is considered publicly accessible.	CloudTrail Trails are log files that are delivered to S3 buckets. If the trail is stored in a public S3 bucket, then that trail is publicly accessible.

Amazon VPC subnet

A subnet (aws_subnet) is considered public if:

Criteria	Explanation
It’s connected to one or more route tables that are connected to an Internet gateway and that route to a destination CIDR block of `"0.0.0.0/0"`, or an IPv6 CIDR block of `"::/0"`.	The route table attached to this subnet routes egress traffic through an internet gateway, meaning resources in the subnet can access the public internet.
It’s connected to one or more network ACLs that have at least one ingress and at least one egress entry that have a CIDR block of `"0.0.0.0/0"`, or an IPv6 CIDR block of `"::/0"`.	Network ACLs control traffic that can leave or enter the subnet at the subnet level. When a network ACL rule allows ingress traffic from the Internet and allows egress traffic to ephemeral ports, it allows resources in the subnet to be exposed to the Internet if they are assigned a public IP and their security group allows it.

See Subnets for your VPC for the AWS definition of a public subnet.

Amazon Redshift cluster

A Redshift cluster (aws_redshift_cluster) is considered publicly accessible if:

Criteria	Explanation
If it has `publicly_accessible` set to `true` in its configuration.	See Managing clusters in a VPC.
It’s in a public VPC.	A public VPC is a VPC with at least one public subnet, connected to one or more network ACLs that have at least one ingress and at least one egress entry that have a CIDR block of `"0.0.0.0/0"`, or an IPv6 CIDR block of `"::/0"`.
It’s associated with a security group that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`.	A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access.
It’s connected to one or more route tables that are connected to an Internet gateway, and that route to a destination CIDR block of `"0.0.0.0/0"`, or an IPv6 CIDR block of `"::/0"`.	The route table attached to this subnet routes egress traffic through an Internet gateway, meaning resources in the subnet can access the public Internet.

See Make a private Amazon Redshift Cluster publicly accessible for more information about Redshift Clusters and public accessibility.

Amazon RDS DB instance

An RDS DB instance (aws_rds_instance) is considered publicly accessible if:

Criteria	Explanation
It has `publicly_accessible` set to `true` in its connectivity configuration.	This setting makes the DB publicly accessible, meaning its DNS endpoint will resolve to the private IP address within its VPC, and a public IP address from outside the VPC. However, access to the cluster will still be controlled by a related security group.
It’s in a public subnet.	-
It’s associated with a security group that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`.	A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access.

See Fix connectivity to an RDS DB instance that uses a VPC’s subnet for more information about public access to an RDS DB Instance.

Amazon RDS DB snapshot

An RDS DB snapshot (aws_rds_db_snapshot) is considered publicly accessible if:

Criteria	Explanation
It has an attribute set to `"restore"` with an attribute value set to `"all"`.	If you set DB snapshot visibility to Public, all AWS accounts can restore a DB instance from your manual DB snapshot and have access to your data.

See Sharing a DB snapshot for more information.

Amazon Elastic Load Balancer

An ELB (aws_elbv2_load_balancer) is considered publicly accessible if:

Criteria	Explanation
The scheme is set to `internet-facing`.	The scheme determines whether the load balancer is an internal load balancer or an Internet-facing load balancer.
It is associated with a security group that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`.	A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access.

See Create an Application Load Balancer for more information about Internet-facing load balancers.

Amazon EC2 instance

An EC2 Instance (aws_ec2_instance) is considered publicly accessible if:

“Public subnet”-determined access:

Criteria	Explanation
It has one or more public IP addresses.	A public IP address allows your instance to be reached from the internet.
It’s in a public subnet.	-
It’s associated with a security group that has rules allowing access from a CIDR range of `"0.0.0.0/0"`, or an IPv6 CIDR range of `"::/0"`.	A security group controls inbound traffic to a VPC. With an open CIDR range, all IP addresses are able to gain access.

ELB-determined access through autoscaling group:

Criteria	Explanation
A security group (for example, `SG1`) attached to the load balancer is publicly accessible and allows ingress traffic to some port `X`.	This opens the load balancer to incoming traffic from the Internet on a specific port.
The load balancer has a listener accepting traffic on port `X`	A listener is a process that checks for connection requests, using the protocol and port that you configure
The load balancer has a target group forwarding traffic to some port `Y`.	Target groups route requests to one or more registered targets, such as EC2 instances, on a protocol and port that you specify.
An autoscaling group is attached to the load balancer’s target group.	-
The EC2 instance is part of the autoscaling group, and has a security group that has at least one rule that allows ingress traffic from port `Y`, either from `0.0.0.0/0`, from the CIDR of the VPC (for example, `10.0.0.0/8`), or from the security group of the load balancer (`SG1`).	This opens the EC2 instance to traffic coming from the load balancer. The security group must allow traffic from the load balancer, and thus must be open either to all IPs, all IPs in the VPC, or that specific security group.

ELB-determined access through target group alone:

Criteria	Explanation
Criteria 1, 2 and 3 from above (ELB-determined access through autoscaling group) apply.	-
The EC2 instance is listed as a target of the target group, and has a security group that has at least one rule that allows ingress traffic from port `Y`, either from `0.0.0.0/0`, from the CIDR of the VPC (for example, `10.0.0.0/8`), or from the security group of the load balancer (`SG1`).	Because the instance is listed as a target of the target group, the load balancer can forward traffic to it through port `Y`. The security group allows traffic from the load balancer.

See Authorize inbound traffic for your Linux instances for more information about EC2 Instances and public access. See Example: VPC with servers in private subnets and NAT for an example of EC2 instances that are exposed through a load balancer.

Amazon Elasticsearch Domain

An Elasticsearch Domain (aws_elasticsearch_domain) is considered publicly accessible if:

Criteria	Explanation
It has an endpoint that matches the regex pattern `^search-.*\.es\.amazonaws\.com$`.	This is the form taken by endpoints for domains that are publicly accessible.

See Launching your Amazon OpenSearch Service domains within a VPC for more information about making your Elasticsearch domain no longer publicly accessible.

Amazon Machine Images (AMI)

A Machine Image (aws_ami) is considered publicly accessible if:

Criteria	Explanation
It is customer-owned, which means it does not have an aliased owner (either `amazon` or `aws-marketplace` in the account field).	Public AMIs owned by verified providers (either Amazon or verified partners) have an aliased owner, which appears as `amazon` or `aws-marketplace` in the account field. See Find a shared AMI in the AWS docs.
Its image is set to `public`, meaning that the launch permissions for the image are public.	By modifying the `launchPermission` property of an AMI, you can make the AMI public (which grants launch permissions to all AWS accounts), or share it with only the AWS accounts that you specify.

See Make an AMI public for an explanation of how to make an AMI public or private.

Amazon EBS snapshots

An EBS snapshot (aws_ebs_snapshot) is considered publicly accessible if:

Criteria	Explanation
`create_volume_permission` is set to `all`.	Each snapshot contains all of the information that is needed to restore the snapshot’s data to a new EBS volume. If anyone can create a volume from the snapshot, that information is publicly accessible.

See Share an Amazon EBS snapshot for information about public EBS snapshots and how to make them private.

Amazon EKS clusters

An EKS cluster (aws_eks_cluster) is considered publicly accessible if:

Criteria	Explanation
`endpoint_public_access` is set to `true` in the cluster’s configuration.	This setting makes the cluster publicly accessible when combined with an open public CIDR.
The cluster’s `public_access_cidrs` contains an open CIDR block (`"0.0.0.0/0"`).	You can limit the CIDR blocks that can access the public endpoint of the EKS cluster. An open CIDR block means anyone on the internet can access the endpoint.

See Amazon EKS cluster endpoint access control for more information on public EKS clusters.

Amazon SQS queue

An SQS queue (aws_sqs_queue) is considered publicly accessible if:

Criteria	Explanation
The queue has a policy that allows any principal (principal set to `"*"`) to perform actions unconditionally (`statement_has_condition` set to `false`).	This setting makes the queue accessible to everyone in the world or to any authenticated AWS user.

See Amazon SQS security best practices for more information about public SQS queues.

AWS Lambda function

A Lambda function (aws_lambda_function) is considered publicly accessible if:

Criteria	Explanation
The function has a policy that allows any principal (`principal_policy` or `principal_aws`) set to `"*"`.	This setting makes the function accessible to everyone in the world or to any authenticated AWS user.

See Best practices for working with AWS Lambda functions for more information about public Lambda functions.

Azure public accessibility logic by resource

Azure Network Security Group (NSG)

An Azure NSG (azure_security_group) grants public access if:

Criteria	Explanation
The security group has rules with protocol `tcp`, `udp` or `*`.	These are the protocol values that are relevant for determining public access for Azure resources.
The security group has `inbound` rules with access set to `Allow`.	These values indicates that the rule is allowing inbound traffic.
The security group has rules with source_address_prefix equal to `*`, `0.0.0.0`, `/0`, `::/0`, `internet`, or `any`.	These CIDR prefixes allow access to the internet.
The rules which match the above properties combine with any other `Deny` rules of higher priority to open at least one port to the Internet.	See Security rules to learn how Azure combines security group rules to calculate access.

For details on how Azure NSGs allow and deny Internet access for a resource, see Network Security Groups.

Azure Virtual Machine Instance

A Virtual Machine Instance (azure_virtual_machine_instance) is considered publicly accessible if:

Attached to Network Security Group allowing public access:

Criteria	Explanation
The virtual machine instance has a public IP address attached to one of its network interfaces.	A public IP is required for Internet access to a virtual machine instance.
The virtual machine instance has a network security group granting public access attached to one of its network interfaces.	To learn more about how a network can grant public access, see Azure Network Security Group (NSG).

Has Public IP with SKU “Basic”:

Criteria	Explanation
The virtual machine instance has a public IP address with SKU Basic attached to its network interface.	A public IP address with SKU basic is open by default (see Public IP addresses).
The virtual machine instance has no attached network security groups.	If no network security groups are attached, then there are no rules blocking access through the open public IP address.

To learn more about Azure Virtual Machine Instances and public access, see Associate a public IP address to a virtual machine.

Azure Storage blob container

A Storage blob container (azure_storage_blob_container) is considered publicly accessible if:

Criteria	Explanation
The storage blob container’s storage account has no `allow_blob_public_access` attribute, or has the attribute set to `true`.	This means that the account allows public Internet access to Azure Blob Storage. To learn more about configuring anonymous read access with Azure Storage Accounts, see Configure anonymous read access for containers and blobs.
The storage blob container’s `public_access` attribute is set to `blob` or `container`.	This means that the account allows public Internet access to Azure Blob Storage.
The storage blob container is part of a storage account that does not explicitly block public access.	When a Storage Account doesn’t explicitly block public access, Storage Blob Containers inside it can be made public.

To learn more about disallowing blob public access on Azure Storage accounts, see Choose to allow or disallow blob public access on Azure Storage accounts.

Azure Kubernetes Service (AKS) cluster

An AKS cluster (azure_aks_cluster) is considered publicly accessible if:

Criteria	Explanation
`enable_private_cluster` is set to `false` in the cluster’s configuration.	This setting makes the cluster publicly accessible when combined with an open public CIDR.
The cluster’s `authorized_ip_ranges` contains an open CIDR block (`"0.0.0.0/0"`) or is unset.	An open CIDR block means anyone on the internet can access the endpoint.

See AKS best practices for more information on public AKS clusters.

Google Cloud Public accessibility logic by resource

Google Cloud Compute firewall

A Compute Firewall (gcp_compute_firewall) grants public access if:

Criteria	Explanation
The firewall has one or more rules whose protocol is TCP or all and which have `0.0.0.0/0` or `::/0` in their `source_ranges`.	These CIDR prefixes allow access from the Internet, and are the protocol values that are relevant for determining public access.
The firewall’s direction is `ingress`.	This means that the firewall is relevant for inbound access from the Internet.

For more information about using Compute firewalls, Choose to allow or disallow blob public access on Azure Storage accounts.

Google Cloud Compute instance

A Compute instance (gcp_compute_instance) is considered publicly accessible if:

Criteria Explanation

The compute instance has a public IP address, meaning at least one of its network interfaces has a public IP address defined in its access configurations, To learn more about adding an external IP to a compute instance, see Reserve a static external IP address.

Criteria	Explanation
The compute instance has a public IP address, meaning at least one of its network interfaces has a public IP address defined in its access configurations,	To learn more about adding an external IP to a compute instance, see Reserve a static external IP address.
The compute instance has associated firewall rules that combine to open some range of ports to the internet. The firewall rules can be associated with the instance by: Having no `target_tags` or `target_service_accounts`, meaning the rule applies to the whole network. Having `target_service_accounts` associated with one of the compute instance’s `service_accounts`. Having some `target_tags` that match the compute instance’s network tags. The rules should grant public access (see Google Cloud Compute Firewall).	To learn how compute firewall rules are used to restrict port ranges for a compute instance, see Firewall rule components.

The compute instance has associated firewall rules that combine to open some range of ports to the internet. The firewall rules can be associated with the instance by:

Having no target_tags or target_service_accounts, meaning the rule applies to the whole network.
Having target_service_accounts associated with one of the compute instance’s service_accounts.
Having some target_tags that match the compute instance’s network tags.

The rules should grant public access (see Google Cloud Compute Firewall).

To learn how compute firewall rules are used to restrict port ranges for a compute instance, see Firewall rule components.

Learn more about how compute firewall rules are used to restrict port ranges for a compute instance here.

Google Cloud BigQuery dataset

A BigQuery dataset (gcp_bigquery_dataset) is considered publicly accessible if:

Criteria	Explanation
The dataset has an IAM policy attached that has a `member` value of either `AllUsers` or `AllAuthenticatedUsers`.	These members allow anyone on the internet to access the database. See IAM overview for more information.
The dataset has an IAM policy attached that binds it to one of the following roles: `roles/viewer`, `roles/owner`, `roles/editor`, `roles/bigquery.admin`, `roles/bigquery.metadataviewer`, `roles/bigquery.dataowner`, `roles/bigquery.dataeditor`, `roles/bigquery.dataviewer`, or `roles/bigquery.user`.	These roles allow the person who accesses the resource to perform dangerous operations on the database. See the role reference for more information.

Learn more about BigQuery datasets.

Google Cloud Storage bucket

A Storage Bucket (gcp_storage_bucket) is considered publicly accessible if:

Criteria	Explanation
The bucket has an IAM policy attached that has a `member` value of either `AllUsers` or `AllAuthenticatedUsers`.	These members allow anyone on the Internet to access the database. See more here.
The bucket has `public_access_prevention` set to `inherited` in its `iam_configuration`.	This setting block public access if set to `enforced`. For more information about the public access prevention setting, see Public access prevention.
The bucket has an IAM policy attached that binds it to one of the following roles: `roles/backupdr.cloudstorageoperator` `roles/bigquerymigration.worker` `roles/cloudbuild.builds.builder` `roles/clouddeploy.jobrunner` `roles/cloudmigration.storageaccess` `roles/cloudtestservice.testadmin` `roles/cloudtestservice.testviewer` `roles/composer.environmentandstorageobjectadmin` `roles/composer.environmentandstorageobjectuser` `roles/composer.environmentandstorageobjectviewer` `roles/composer.worker` `roles/config.agent` `roles/container.nodeserviceaccount` `roles/dataflow.admin` `roles/dataflow.worker` `roles/dataplex.storagedataowner` `roles/dataplex.storagedatareader` `roles/dataproc.hubagent` `roles/dataproc.worker` `roles/firebase.admin` `roles/firebase.developadmin` `roles/firebase.developviewer` `roles/firebase.viewer` `roles/firebaserules.system` `roles/managedidentities.domaincontrolleroperator` `roles/storage.admin` `roles/storage.legacyobjectowner` `roles/storage.legacyobjectreader` `roles/storage.objectadmin` `roles/storage.objectuser` `roles/storage.objectviewer`	These roles allow the person who accesses the resource to perform dangerous operations on the bucket. See the role reference for more information.