Previewing access in Amazon S3 console

After you complete your bucket policy in the Amazon S3 console you have the option to preview public and cross-account access to your Amazon S3 bucket. You can validate that your policy changes grant only intended external access before you choose Save changes. This optional step enables you to preview AWS Identity and Access Management Access Analyzer findings for your bucket. You can validate whether the policy change introduces new findings or resolves existing findings for external access. You can skip this validation step and save your Amazon S3 bucket policy at any time.

To preview external access to your bucket, you must have an active account analyzer in your bucket’s region with the account as the zone of trust. You must also have the permissions required to use IAM Access Analyzer and preview access. For more information on enabling IAM Access Analyzer and permissions required, see Enabling IAM Access Analyzer.

To preview access to your Amazon S3 bucket when you create or edit your bucket policy

Once you finish creating or editing your bucket policy, ensure your policy is a valid Amazon S3 bucket policy. The policy ARN must match the bucket ARN and the policy elements must be valid.
Below the policy, under Preview external access, choose an active account analyzer, then choose Preview. A preview of IAM Access Analyzer findings is generated for your bucket. The preview analyzes the displayed Amazon S3 bucket policy, together with the existing bucket permissions. This includes the bucket and account BPA settings, bucket ACL, the Amazon S3 access points and multi-region access points attached to the bucket, and their policies and BPA settings.
When the access preview completes, a preview of IAM Access Analyzer findings is displayed. Each finding reports an instance of a principal outside of the account with access to your bucket after you save the policy. You can validate access to your bucket by reviewing each finding. The finding header provides a summary of the access and you can expand the finding to review the finding details. Finding badges provide context on how saving the bucket policy would change access to the bucket. For example, they help you validate whether the policy change introduces new findings or resolves existing findings for external access:
1. New – indicates a finding for new external access that the policy would introduce.
2. Resolved – indicates a finding for existing external access that the policy would remove.
3. Archived – indicates a finding for new external access that would be automatically archived, based on the archive rules for the analyzer that define when findings should be marked as intended.
4. Existing – indicates an existing finding for external access that would remain unchanged.
5. Public – if a finding is for public access to the resource, it will have a Public badge, in addition to one of the badges above.
If you identify external access you do not intend to introduce or remove, you can revise the policy and then choose Preview again until you have achieved the external access you intend. If you have a finding labeled Public, we recommend you revise the policy to remove public access before you choose Save changes. Previewing access is an optional step and you can choose Save changes at any time.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Preview access

Previewing access with IAM Access Analyzer APIs