Find public S3 buckets in your AWS account
Data is critical to your business and protecting it from unintended access is a crucial business activity. As cloud usage increases, this can be a significant task to address. You want to verify that you aren’t unintentionally exposing or sharing data publicly.
Under the Shared Responsibility Model, AWS is responsible for protecting the infrastructure that runs AWS services like Amazon Simple Storage Service (Amazon S3). Your responsibility includes managing access to your data. By default, S3 buckets are private and can be accessed only by users who are explicitly granted access. Additionally, all newly created S3 buckets by default have Amazon S3 Block Public Access enabled, access control lists (ACLs) disabled, and all new objects encrypted. Although these new defaults create a strong security posture, you are still responsible for monitoring your users who may re-configure these settings on your S3 buckets.
In this post, we walk you through the AWS services that you can use to detect S3 buckets that your users have configured for public access across different AWS Regions in your AWS Account and AWS Organizations. First on the list is IAM Access Analyzer for S3, which is available at no additional cost in the S3 console and should be your go-to method to identify and remediate public buckets. If you are interested in other AWS services that offer the ability to identify public buckets, you can choose the service that best fits your requirements based on factors like compliance, service features, and cost.
- IAM Access Analyzer for S3
- AWS Config
- AWS Security Hub
- Amazon GuardDuty
- AWS Trusted Advisor
- Amazon Macie
- AWS CloudTrail
For further reading, check my blog @
