By using AWS re:Post, you agree to the Terms of Use
/How to find all public objects of any of my owned S3 buckets?/

How to find all public objects of any of my owned S3 buckets?

0

How can one find all public objects of any of the current account owned S3 buckets?

Either trough the aws s3 command line, through the console or through some specialized AWS service.

2 Answers
3
Accepted Answer

Good question!

The most out of the box method would be Trusted Advisor comes with a security check for S3 Buckets "Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user. Bucket permissions that grant List access can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access create potential security vulnerabilities by allowing users that to add, modify, or remove items in a bucket."

Trusted Advisor: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/

This is typically done via the S3 Block Public Access controls as listed above. However if you're looking for a more granular level on the objects themselves, you could iterate through on the objects to GetObjectACL. To be truly public, this would have to work in conjunction with the S3 Block Public Access.

On a side note, AWS recommends not using ACLs in general. Check out this newer feature of Object Ownership: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html.

answered 6 months ago
1

Maybe you should try something like that:

#!/bin/bash

my_buckets=$(aws s3 ls | awk '{print $3}')

for bucket in $my_buckets; do
    for key in $(aws s3 ls --recursive s3://$bucket/ | awk '{print $4}'); do
        object_acl=$(aws s3api get-object-acl --bucket $bucket --key $key)
        result_found=$(echo $object_acl | grep "AllUsers")
        if [ ! -z "$result_found" ] ; then
            echo $bucket
            echo $key;
            echo $object_acl;
        fi;
        done
    done

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions