Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to Retrieve All Users with Access to an Amazon S3 Bucket?

0

Hi,

I am developing a feature that involves Amazon S3, and for this, I need to identify all users who have access to a specific S3 bucket. Given a bucket name, I would like to retrieve a list of users who have permissions to access that bucket.

I have already checked the bucket policy and ACL, but I noticed that if an IAM user has been granted access through an IAM policy (instead of being explicitly mentioned in the bucket policy), they can still access the bucket. This makes it difficult to determine all users who have permissions.

Is there an AWS API or any other method that allows me to get a list of all users who have access to a given S3 bucket, including those with IAM policies granting access? Any guidance or best practices would be greatly appreciated.

Thank you!

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon Simple Storage Service
Language
English
asked 10 months ago332 views
3 Answers
3

Try by using below commands:

To list IAM policies: aws iam list-policies --scope Global

To list IAM roles: aws iam list-roles

Please make sure below items before above commands:

  1. Enable Server Access Logging: This will log all requests made to S3 bucket. You can enable server access logging by going to the S3 bucket properties and enabling access logging.

  2. Enable AWS CloudTrail Logging: CloudTrail logs API calls made to S3 resources. You can enable CloudTrail logging for your S3 bucket to track who accessed it.

  3. Analyze Logs with Amazon Athena: Once you have the logs, you can use Amazon Athena to query and analyze them. This will help you identify all users who have accessed the bucket.

  4. Use AWS IAM Policies and Roles: Review the IAM policies and roles that grant access to the S3 bucket. You can use the AWS Management Console or AWS CLI to list IAM policies and roles.

EXPERT
answered 10 months ago
1

Along what has already been suggested. You could us also use IAM Access Analyzer for S3 https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

This would also be helpful moving forward to help you determine which roles have permissions to your bucket but arent used.

answered 10 months ago
1

Try using

Bucket access using IAM Access Analyzer for S3

IAM Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, IAM Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. With these findings, you can take immediate and precise corrective action to restore your bucket access to what you intended.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content