Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to Determine S3 Bucket Public Access Status in AWS Console or CLI After IAM Access Analyzer Update

0

In the past, the S3 dashboard included an "Access" column that indicated the status of a bucket, such as "public," "objects can be public," or "buckets and objects not public." This feature seems to have been replaced by the "IAM Access Analyzer," which doesn't provide the same level of detail as before.

Does anyone know how to obtain this specific information regarding whether a bucket is "public," "objects can be public," or "buckets and objects not public" using the AWS Console or AWS CLI today? I found that information extremely useful, but it appears to no longer be available directly on the dashboard.

Topics
Management & GovernanceSecurity, Identity, & ComplianceStorage
Tags
AWS Command Line InterfaceManagement & GovernanceAWS IAM Access AnalyzerStorageAmazon Simple Storage Service
Language
English
asked 2 years ago2.3K views
4 Answers
3

Hello, To determine the public access status of an S3 bucket using the AWS Console or AWS CLI, you can follow these detailed steps:

AWS Management Console

1.Open the S3 Console:

2.Check Bucket Access Status:

  • In the S3 console, you'll see a list of your S3 buckets. Look for the "Access" column. This column indicates the access status of each bucket (e.g., "Public", "Objects can be public", "Not public").

  • If the "Access" column is not visible, you can check the bucket's permissions by clicking on the bucket name.

  • Go to the "Permissions" tab.

  • Under the "Public access settings for this bucket" section, you'll see details about whether the bucket has public access or restricted access.

3.IAM Access Analyzer:

  • Navigate to the IAM Access Analyzer in the AWS Management Console.

  • In the IAM Access Analyzer, you can view the findings to see if any resources (including S3 buckets) have public access.

AWS CLI You can use the AWS CLI to get detailed information about the public access configuration of your S3 buckets. Here are the commands to use:

1.Get Public Access Block Configuration:

aws s3api get-public-access-block --bucket my-bucket

Replace my-bucket with the name of your S3 bucket.

The output will look like this:

{
    "PublicAccessBlockConfiguration": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "RestrictPublicBuckets": true
    }
}
  • BlockPublicAcls: Whether Amazon S3 blocks public access control lists (ACLs) for this bucket.
  • IgnorePublicAcls: Whether Amazon S3 ignores public ACLs for this bucket.
  • BlockPublicPolicy: Whether Amazon S3 blocks bucket policies that allow public access.
  • RestrictPublicBuckets: Whether Amazon S3 restricts public bucket policies for this bucket.

2.Get Bucket Policy:

aws s3api get-bucket-policy --bucket my-bucket

This command retrieves the bucket policy if it exists, which can indicate if the bucket is public or has the potential to be public.

3.Get Bucket ACL:

aws s3api get-bucket-acl --bucket my-bucket

This command retrieves the Access Control List (ACL) of the bucket. If the ACL grants public access, you'll see it in the output.

Detailed Analysis of Outputs

  • If BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets are all true, the bucket and its objects are not public.
  • If any of these are false, there might be potential for public access depending on the specific settings.

i hope this will helps, thank you

EXPERT
answered 2 years ago
2

Hi,

The CLI command to use aws s3api get-public-access-block --bucket my-bucket. See https://docs.aws.amazon.com/cli/latest/reference/s3api/get-public-access-block.html

The result will look like:

{
    "PublicAccessBlockConfiguration": {
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "BlockPublicAcls": true,
        "RestrictPublicBuckets": true
    }
}

Details on each of the fields detailed in page pointed above

Best,

Didier

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
1

Hello,

You're right, the "Access" column in the S3 console that displayed public access status has been replaced by IAM Access Analyzer. I will provide some ways to do:

AWS Console Methods:

Get Bucket Policy Status:

  1. Navigate to the S3 bucket in the console.

  2. Click on the "Permissions" tab.

  3. In the "Bucket Policy" section, look for an option like "Get Bucket Policy Status" or a similar wording. This will display a report indicating if the bucket has public access ("IsPublic: true").

Result is looks like:

`{

"PublicAccessBlockConfiguration": {

    "IgnorePublicAcls": true,

    "BlockPublicPolicy": true,

    "BlockPublicAcls": true,

    "RestrictPublicBuckets": true

}

}`

Block Public Access Settings:

  1. Go to the S3 bucket and navigate to the "Permissions" tab.

  2. Look for a section related to "Block Public Access" settings. This section will show if Block Public Access is enabled for the bucket, indicating a more secure state by default.

AWS CLI Method:

get-bucket-policy-status:

  1. Use the aws s3api get-bucket-policy-status --bucket <bucket-name> command.

  2. The output will include a section named "PolicyStatus" with an "IsPublic" key. A value of "true" indicates public access.

EXPERT
answered 2 years ago
0

Hello,

Here is the blog post on different ways to find if the buckets are public: https://aws.amazon.com/blogs/storage/find-public-s3-buckets-in-your-aws-account/

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content