Search code examples
amazon-web-servicesamazon-s3boto3aws-iam-access-analyzer

Who has access to my S3 bucket and its objects?

How can I easily and accurately evaluate access permissions via the Amazon S3 management console or from boto3, to ensure that I am the only person who has access to my bucket and all of its objects?

I am aware that access to my bucket/objects can be given either through a Bucket Policy or ACL. However, ACL access can be given per object, so it is not clear to me how to fully review who has access, even to a single object in the bucket.

Solution

  • It's not easy.

    First, let's review the ways that permission might be granted:

    • Access Control Lists (ACLs) are object-level permissions that can grant public access, or access to a specific user. They are a remnant of the early way that Amazon S3 worked and can be annoying to manage. In fact, a new feature was recently made available that allows ACLs to be disabled -- and that's what AWS recommends!

    S3 Edit Object Ownership

    • Bucket Policies allow permissions to be assigned to a bucket, or a path within a bucket. This is a great way to make a bucket public and the only way to provide cross-account access to a bucket.
    • IAM Policies can be applied to an IAM User, IAM Group or IAM Role. These policies can grant permission to access Amazon S3 resources within the same account. This is a great way to assign permissions to specific IAM Users rather than doing it via a Bucket Policy.

    The Amazon S3 console does allow you to Review bucket access using Access Analyzer for S3:

    Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. Armed with this knowledge, you can take immediate and precise corrective action to restore your bucket access to what you intended.

    However, it won't give you a full list of who can access which buckets.

    You want to "ensure that you are the only one who has access to the bucket" -- this would require checking the Bucket Policy and the permissions of all IAM Users. There's no short-cut for doing this.