Fully Evaluate S3 Access
I am kinda new to S3 and I am aware that access to my bucket/objects can be given either through bucket policy or acl. The thing is that acl access can be given per object, so it is not clear to me how to fully review who was given access, even to a single object in the bucket. My question is how can I easily and accurately evaluate that either from the aws web management console or from boto3, in order to ensure that I am the only one who has access to my bucket and all of its objects.
Answer
It's not easy.
First, let's review the ways that permission might be granted:
- Access Control Lists (ACLs) are object-level permissions that can grant public access, or access to a specific user. They are a remnant of the early way that Amazon S3 worked and can be annoying to manage. In fact, a new feature was recently made available that allows ACLs to be disabled -- and that's what AWS recommends!
- Bucket Policies allow permissions to be assigned to a bucket, or a path within a bucket. This is a great way to make a bucket public and the only way to provide cross-account access to a bucket.
- IAM Policies can be applied to an IAM User, IAM Group or IAM Role. These policies can grant permission to access Amazon S3 resources within the same account. This is a great way to assign permissions to specific IAM Users rather than doing it via a Bucket Policy.
The Amazon S3 console does allow you to Review bucket access using Access Analyzer for S3:
Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. Armed with this knowledge, you can take immediate and precise corrective action to restore your bucket access to what you intended.
However, it won't give you a full list of who can access which buckets.
You want to "ensure that you are the only one who has access to the bucket" -- this would require checking the Bucket Policy and the permissions of all IAM Users. There's no short-cut for doing this.
Related Questions
- → AWS SDK with Lumen
- → Using AWS Certificate with a parked domain for a shopify store
- → laravel or AWS don't detect my https
- → S3 putObject callback not returning expected objects
- → Amazon S3 image hosting with Shopify
- → Redirection to https not working using AWS Elastic Beanstalk
- → Shopify app showing request blocked by an extension
- → AWS Iam commands, Working correct in terminal and not working in Laravel/PHP AWS SDK
- → Violates the following Content Security Policy directive: *** in Shopify
- → AWS S3 cannot delete objects in bucket via PHP SDK
- → Laravel s3 multiple buckets
- → AWS IoT private.pem.key doesn't exist
- → Supervise queue in laravel 5.1