The last few months, thousands of s3 buckets have been discovered as public buckets. A total of 10% of AWS s3 buckets are public-configured buckets. We know it can be a lot of work to manually check every bucket. That’s why we are going to explain to you how to analyze every bucket easily and automatically in a few minutes to avoid a potentially dangerous data exposure.
Contents
S3 ACL Viewer
S3 ACL Viewer is a tool available here, allowing you to analyze your buckets. A�
Configuration of AWS IAM
The tool needs access to your AWS account.
– Go to AWS IAM
– Click on Users on the left-side menu
– Click onA�Add user 
– Choose a username and checkA�Programmatic access 
– Click onA�Next: Permissions
– Click onA�Attach existing policies directly
– CheckA�AmazonS3ReadOnlyAccess 
– Click onA�Next: Review
– Click onA�Create user
– Copy the credentialsA�Access key ID andA�Secret access key
– Create ~/.aws/credentials file and put the credentials you copied here in this format:
[default] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here>
Use Existing Configured IAM User
Use your existing credentials or profile if you have a file ~/.aws/credentials like this:
[default] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here> [my_profile_name] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here>
And pass the profile name in argument (default if nothing):
Â
gt; ./s3-acl-viewer -p my_profile_name
(Optional) Configure the Google Spreadsheet Report
If you want to generate a report on Google Spreadsheet, follow the first step of the instructions to setup credentials and API access. A�
Installation
Clone the repository by typing:
Â
gt; git clone git@github.com:trackit/s3-acl-viewer.git
Â
gt; cd s3-acl-viewer
Usage
Â
gt; ./s3-acl-viewer -h
usage: s3-acl-viewer [-h] [–auth_host_name AUTH_HOST_NAME]
[–noauth_local_webserver]
[–auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT …]]]
[–logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
[-p [PROFILE [PROFILE …]]] [-n NAME] [-g] [-x] [-c] [-s]
optional arguments:
-h, –help show this help message and exit
–auth_host_name AUTH_HOST_NAME
Hostname when running a local web server.
–noauth_local_webserver
Do not run a local web server.
–auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT …]]
Port web server should listen on.
–logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level of detail.
-p [PROFILE [PROFILE …]], –profile [PROFILE [PROFILE …]]
aws profiles. [default] by default.
-n NAME, –name NAME spreadsheet name. [s3_report] by default.
-g, –gspread create a google spreadsheet.
-x, –xlsx create a xlsx spreadsheet.
-c, –csv create a csv file.
-s, –silent disable printing.
Note:A�Arguments –auth_host_name, -noauth_local_webserver, –auth_host_port and –loging_level are generated by the Google Spreadsheet implementation. A�
Generate a Report
If you want to generate a report in CSV, XLSX and Google Spreadsheet and if you want to print that report, type:
./s3-acl-viewer -gxc -p my_profile_1 my_profile_2
-g meansA�Upload the report on my Google Drive in the Google Spreadsheet format. You need to configure the API as explained above.
-x meansA�Create a .xlsx file (Microsoft Excel).
-c meansA�Create a standard .csv file.
-p my_profile_1 my_profile_2 meansA�Generate the report by analyzing that account.
The command will produce 
as standard output, 
with the Google Spreadsheet flag, 
with the Microsoft Excel flag, and 
with the CSV flag.
About TrackIt
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.