How can I find out which S3 buckets allow access from the internet?
Last updated: 2022-11-07
I want to know which of my Amazon Simple Storage Service (Amazon S3) buckets are publicly accessible from the internet. How can I do that?
To check whether S3 buckets are publicly accessible, use any of the following methods:
- Use the Amazon S3 console to configure public access settings.
- Use AWS Trusted Advisor to check Amazon S3 bucket permissions.
- Use Access Analyzer to set up alerts for buckets that are publicly accessible.
If you have a large number of S3 buckets in your AWS account, then AWS Config can provide a more efficient method. AWS Config rules allow you to quickly identify which buckets allow public read or write access. Also, you can set up AWS Config to notify you if any S3 buckets become publicly accessible after your initial review.
To create AWS Config rules that flag which S3 buckets are publicly accessible, follow these steps:
Note: Before you use AWS Config to analyze your S3 buckets, be sure to set up AWS Config on your AWS account.
- Open the AWS Config console and set the Region selector to an AWS Region that supports AWS Config rules.
Note: AWS Config performs the compliance check for buckets in the corresponding AWS Region. If you have buckets in multiple Regions, then set up AWS Config rules in each Region.
- In the navigation pane, choose Rules.
- Select + Add rule.
- In the search bar, enter s3-bucket-public-read-prohibited. Then, choose the s3-bucket-public-read-prohibited rule. This rule flags buckets that allow public read access as Noncompliant.
- Select Save.
- Choose + Add rule.
- In the search bar, enter s3-bucket-public-write-prohibited. Then, choose the s3-bucket-public-write-prohibited rule. This rule flags buckets that allow public write access as Noncompliant.
- Select Save.
It might take several minutes for AWS Config to complete the evaluation of your S3 buckets based on the new rules. After the AWS Config evaluation is complete, open the Rules page from the AWS Config console. Then, open each rule to see which S3 buckets are flagged as noncompliant. Noncompliant buckets are those that allow either public write or read access from the internet.
To set up notifications from AWS Config when an S3 bucket becomes noncompliant, see Notifications that AWS Config sends to an Amazon SNS topic.
For more information on setting permissions for S3 buckets, see Identity and access management in Amazon S3.