Reviewing bucket access using IAM Access Analyzer for S3 - Amazon Simple Storage Service

Reviewing bucket access using IAM Access Analyzer for S3

IAM Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, IAM Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. With these findings, you can take immediate and precise corrective action to restore your bucket access to what you intended.

When reviewing an at-risk bucket in IAM Access Analyzer for S3, you can block all public access to the bucket with a single click. We recommend that you block all access to your buckets unless you require public access to support a specific use case. Before you block all public access, ensure that your applications will continue to work correctly without public access. For more information, see Blocking public access to your Amazon S3 storage.

You can also drill down into bucket-level permission settings to configure granular levels of access. For specific and verified use cases that require public access, such as static website hosting, public downloads, or cross-account sharing, you can acknowledge and record your intent for the bucket to remain public or shared by archiving the findings for the bucket. You can revisit and modify these bucket configurations at any time. You can also download your findings as a CSV report for auditing purposes.

IAM Access Analyzer for S3 is available at no extra cost on the Amazon S3 console. IAM Access Analyzer for S3 is powered by AWS Identity and Access Management (IAM) IAM Access Analyzer. To use IAM Access Analyzer for S3 in the Amazon S3 console, you must visit the IAM console and enable IAM Access Analyzer on a per-Region basis.

For more information about IAM Access Analyzer, see What is IAM Access Analyzer? in the IAM User Guide. For more information about IAM Access Analyzer for S3, review the following sections.

Important
  • IAM Access Analyzer for S3 requires an account-level analyzer. To use IAM Access Analyzer for S3, you must visit IAM Access Analyzer and create an analyzer that has an account as the zone of trust. For more information, see Enabling IAM Access Analyzer in IAM User Guide.

  • IAM Access Analyzer for S3 doesn't analyze the access point policy that's attached to cross-account access points. This behavior occurs because the access point and its policy are outside the zone of trust, that is, the account. Buckets that delegate access to a cross-account access point are listed under Buckets with public access if you haven't applied the RestrictPublicBuckets block public access setting to the bucket or account. When you apply the RestrictPublicBuckets block public access setting, the bucket is reported under Buckets with access from other AWS accounts — including third-party AWS accounts.

  • When a bucket policy or bucket ACL is added or modified, IAM Access Analyzer generates and updates findings based on the change within 30 minutes. Findings related to account level block public access settings might not be generated or updated for up to 6 hours after you change the settings. Findings related to Multi-Region Access Points might not be generated or updated for up to six hours after the Multi-Region Access Point is created, deleted, or you change its policy.

What information does IAM Access Analyzer for S3 provide?

IAM Access Analyzer for S3 provides findings for buckets that can be accessed outside your AWS account. Buckets that are listed under Buckets with public access can be accessed by anyone on the internet. If IAM Access Analyzer for S3 identifies public buckets, you also see a warning at the top of the page that shows you the number of public buckets in your Region. Buckets listed under Buckets with access from other AWS accounts — including third-party AWS accounts are shared conditionally with other AWS accounts, including accounts outside of your organization.

For each bucket, IAM Access Analyzer for S3 provides the following information:

  • Bucket name

  • Discovered by Access analyzer ‐ When IAM Access Analyzer for S3 discovered the public or shared bucket access.

  • Shared through ‐ How the bucket is shared—through a bucket policy, a bucket ACL, a Multi-Region Access Point policy, or an access point policy. Multi-Region Access Points and cross-account access points are reflected under access points. A bucket can be shared through both policies and ACLs. If you want to find and review the source for your bucket access, you can use the information in this column as a starting point for taking immediate and precise corrective action.

  • Status ‐ The status of the bucket finding. IAM Access Analyzer for S3 displays findings for all public and shared buckets.

    • Active ‐ Finding has not been reviewed.

    • Archived ‐ Finding has been reviewed and confirmed as intended.

    • All ‐ All findings for buckets that are public or shared with other AWS accounts, including AWS accounts outside of your organization.

  • Access level ‐ Access permissions granted for the bucket:

    • List ‐ List resources.

    • Read ‐ Read but not edit resource contents and attributes.

    • Write ‐ Create, delete, or modify resources.

    • Permissions ‐ Grant or modify resource permissions.

    • Tagging ‐ Update tags associated with the resource.

Enabling IAM Access Analyzer for S3

To use IAM Access Analyzer for S3, you must complete the following prerequisite steps.

  1. Grant the required permissions.

    For more information, see Permissions Required to use IAM Access Analyzer in the IAM User Guide.

  2. Visit IAM to create an account-level analyzer for each Region where you want to use IAM Access Analyzer.

    IAM Access Analyzer for S3 requires an account-level analyzer. To use IAM Access Analyzer for S3, you must create an analyzer that has an account as the zone of trust. For more information, see Enabling IAM Access Analyzer in IAM User Guide.

Blocking all public access

If you want to block all access to a bucket in a single click, you can use the Block all public access button in IAM Access Analyzer for S3. When you block all public access to a bucket, no public access is granted. We recommend that you block all public access to your buckets unless you require public access to support a specific and verified use case. Before you block all public access, ensure that your applications will continue to work correctly without public access.

If you don't want to block all public access to your bucket, you can edit your block public access settings on the Amazon S3 console to configure granular levels of access to your buckets. For more information, see Blocking public access to your Amazon S3 storage.

In rare events, IAM Access Analyzer for S3 might report no findings for a bucket that an Amazon S3 block public access evaluation reports as public. This happens because Amazon S3 block public access reviews policies for current actions and any potential actions that might be added in the future, leading to a bucket becoming public. On the other hand, IAM Access Analyzer for S3 only analyzes the current actions specified for the Amazon S3 service in the evaluation of access status.

To block all public access to a bucket using IAM Access Analyzer for S3
  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane on the left, under Dashboards, choose Access analyzer for S3.

  3. In IAM Access Analyzer for S3, choose a bucket.

  4. Choose Block all public access.

  5. To confirm your intent to block all public access to the bucket, in Block all public access (bucket settings), enter confirm.

    Amazon S3 blocks all public access to your bucket. The status of the bucket finding updates to resolved, and the bucket disappears from the IAM Access Analyzer for S3 listing. If you want to review resolved buckets, open IAM Access Analyzer on the IAM Console.

Reviewing and changing bucket access

If you did not intend to grant access to the public or other AWS accounts, including accounts outside of your organization, you can modify the bucket ACL, bucket policy, the Multi-Region Access Point policy, or the access point policy to remove the access to the bucket. The Shared through column shows all sources of bucket access: bucket policy, bucket ACL, and/or access point policy. Multi-Region Access Points and cross-account access points are reflected under access points.

To review and change a bucket policy, a bucket ACL, a Multi-Region Access Point, or an access point policy
  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane, choose Access analyzer for S3.

  3. To see whether public access or shared access is granted through a bucket policy, a bucket ACL, a Multi-Region Access Point policy, or an access point policy, look in the Shared through column.

  4. Under Buckets, choose the name of the bucket with the bucket policy, bucket ACL, Multi-Region Access Point policy, or access point policy that you want to change or review.

  5. If you want to change or view a bucket ACL:

    1. Choose Permissions.

    2. Choose Access Control List.

    3. Review your bucket ACL, and make changes as required.

      For more information, see Configuring ACLs.

  6. If you want to change or review a bucket policy:

    1. Choose Permissions.

    2. Choose Bucket Policy.

    3. Review or change your bucket policy as required.

      For more information, see Adding a bucket policy by using the Amazon S3 console.

  7. If you want to change or view a Multi-Region Access Point policy:

    1. Choose Multi-Region Access Point.

    2. Choose the Multi-Region Access Point name.

    3. Review or change your Multi-Region Access Point policy as required.

      For more information, see Permissions.

  8. If you want to review or change an access point policy:

    1. Choose access points.

    2. Choose the access point name.

    3. Review or change access as required.

      For more information, see Using Amazon S3 access points with the Amazon S3 console.

    If you edit or remove a bucket ACL, a bucket policy, or an access point policy to remove public or shared access, the status for the bucket findings updates to resolved. The resolved bucket findings disappear from the IAM Access Analyzer for S3 listing, but you can view them in IAM Access Analyzer.

Archiving bucket findings

If a bucket grants access to the public or other AWS accounts, including accounts outside of your organization, to support a specific use case (for example, a static website, public downloads, or cross-account sharing), you can archive the finding for the bucket. When you archive bucket findings, you acknowledge and record your intent for the bucket to remain public or shared. Archived bucket findings remain in your IAM Access Analyzer for S3 listing so that you always know which buckets are public or shared.

To archive bucket findings in IAM Access Analyzer for S3
  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane, choose Access analyzer for S3.

  3. In IAM Access Analyzer for S3, choose an active bucket.

  4. To acknowledge your intent for this bucket to be accessed by the public or other AWS accounts, including accounts outside of your organization, choose Archive.

  5. Enter confirm, and choose Archive.

Activating an archived bucket finding

After you archive findings, you can always revisit them and change their status back to active, indicating that the bucket requires another review.

To activate an archived bucket finding in IAM Access Analyzer for S3
  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane, choose Access analyzer for S3.

  3. Choose the archived bucket findings.

  4. Choose Mark as active.

Viewing finding details

If you need to see more information about a bucket, you can open the bucket finding details in IAM Access Analyzer on the IAM Console.

To view finding details in IAM Access Analyzer for S3
  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane, choose Access analyzer for S3.

  3. In IAM Access Analyzer for S3, choose a bucket.

  4. Choose View details.

    The finding details open in IAM Access Analyzer on the IAM Console.

Downloading an IAM Access Analyzer for S3 report

You can download your bucket findings as a CSV report that you can use for auditing purposes. The report includes the same information that you see in IAM Access Analyzer for S3 on the Amazon S3 console.

To download a report
  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane on the left, choose Access analyzer for S3.

  3. In the Region filter, choose the Region.

    IAM Access Analyzer for S3 updates to shows buckets for the chosen Region.

  4. Choose Download report.

    A CSV report is generated and saved to your computer.