Mar. 07, 2018
The last few months, thousands of s3 buckets have been discovered as public buckets. A total of 10% of AWS s3 buckets are public-configured buckets. We know it can be a lot of work to manually check every bucket. That’s why we are going to explain to you how to analyze every bucket easily and automatically in a few minutes to avoid a potentially dangerous data exposure. A�
S3 ACL Viewer is a tool available here, allowing you to analyze your buckets. A�
The tool needs access to your AWS account.
– Go to AWS IAM
– Click on Users on the left-side menu
– Click onA�Add user – Choose a username and checkA�Programmatic access
– Click onA�Next: Permissions
– Click onA�Attach existing policies directly
– CheckA�AmazonS3ReadOnlyAccess – Click onA�Next: Review
– Click onA�Create user
– Copy the credentialsA�Access key ID andA�Secret access key
– Create ~/.aws/credentials file and put the credentials you copied here in this format:
[default] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here>
Use your existing credentials or profile if you have a file ~/.aws/credentials like this:
[default] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here> [my_profile_name] aws_access_key_id = <your access key ID goes here> aws_secret_access_key = <your secret_access_key goes here>
And pass the profile name in argument (default if nothing):
gt; ./s3-acl-viewer -p my_profile_name
If you want to generate a report on Google Spreadsheet, follow the first step of the instructions to setup credentials and API access. A�
Clone the repository by typing:
gt; git clone git@github.com:trackit/s3-acl-viewer.git
gt; cd s3-acl-viewer
gt; ./s3-acl-viewer -h
usage: s3-acl-viewer [-h] [–auth_host_name AUTH_HOST_NAME]
[–noauth_local_webserver]
[–auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT …]]]
[–logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
[-p [PROFILE [PROFILE …]]] [-n NAME] [-g] [-x] [-c] [-s]
optional arguments:
-h, –help show this help message and exit
–auth_host_name AUTH_HOST_NAME
Hostname when running a local web server.
–noauth_local_webserver
Do not run a local web server.
–auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT …]]
Port web server should listen on.
–logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level of detail.
-p [PROFILE [PROFILE …]], –profile [PROFILE [PROFILE …]]
aws profiles. [default] by default.
-n NAME, –name NAME spreadsheet name. [s3_report] by default.
-g, –gspread create a google spreadsheet.
-x, –xlsx create a xlsx spreadsheet.
-c, –csv create a csv file.
-s, –silent disable printing.
Note:A�Arguments –auth_host_name, -noauth_local_webserver, –auth_host_port and –loging_level are generated by the Google Spreadsheet implementation. A�
If you want to generate a report in CSV, XLSX and Google Spreadsheet and if you want to print that report, type:
./s3-acl-viewer -gxc -p my_profile_1 my_profile_2
-g meansA�Upload the report on my Google Drive in the Google Spreadsheet format. You need to configure the API as explained above.
-x meansA�Create a .xlsx file (Microsoft Excel).
-c meansA�Create a standard .csv file.
-p my_profile_1 my_profile_2 meansA�Generate the report by analyzing that account.
The command will produce as standard output,
with the Google Spreadsheet flag,
with the Microsoft Excel flag, and
with the CSV flag.