Categories

 Automation AWS data rooms Data Storage DevOps DevTools Monitoring Optimization Services TrackIt

Tags
ai ami API Aurora autoscaling aws AWS EC2 AWS S3 chargify Ci Cd Pipeline cloud Cloud Computing Cognito consul cost optimization Data Storage dedicated DevOps docker Dynamodb ec2 ESXi github hashicorp high availability IP json Marketing Media nomad open source packer pfSense Postgres public cloud reduce cost Serverless Solution Architect as a Service terraform trackit tutorial Video VM vmware windows

Mar. 07, 2018

Thibaut Cornolti

Analyze Your AWS s3 Bucket Permission and Detect Security Problems

The last few months, thousands of s3 buckets have been discovered as public buckets. A total of 10% of AWS s3 buckets are public-configured buckets. We know it can be a lot of work to manually check every bucket. That’s why we are going to explain to you how to analyze every bucket easily and automatically in a few minutes to avoid a potentially dangerous data exposure. A�

S3 ACL Viewer

S3 ACL Viewer is a tool available here, allowing you to analyze your buckets. A�

Configuration of AWS IAM

The tool needs access to your AWS account.

– Go to AWS IAM

– Click on Users on the left-side menu

– Click onA�Add user – Choose a username and checkA�Programmatic access – Click onA�Next: Permissions

– Click onA�Attach existing policies directly

– CheckA�AmazonS3ReadOnlyAccess – Click onA�Next: Review

– Click onA�Create user

– Copy the credentialsA�Access key ID andA�Secret access key

– Create ~/.aws/credentials file and put the credentials you copied here in this format:

[default]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>

 

Use Existing Configured IAM User

Use your existing credentials or profile if you have a file ~/.aws/credentials like this:

[default]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>
[my_profile_name]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>

And pass the profile name in argument (default if nothing):

$> ./s3-acl-viewer -p my_profile_name

 

(Optional) Configure the Google Spreadsheet Report

If you want to generate a report on Google Spreadsheet, follow the first step of the instructions to setup credentials and API access. A�

Installation

Clone the repository by typing:

$> git clone git@github.com:trackit/s3-acl-viewer.git
$> cd s3-acl-viewer

 

Usage

 

$> ./s3-acl-viewer -h
usage: s3-acl-viewer [-h] [--auth_host_name AUTH_HOST_NAME]
 [--noauth_local_webserver]
 [--auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT ...]]]
 [--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
 [-p [PROFILE [PROFILE ...]]] [-n NAME] [-g] [-x] [-c] [-s]

optional arguments:
 -h, --help show this help message and exit
 --auth_host_name AUTH_HOST_NAME
 Hostname when running a local web server.
 --noauth_local_webserver
 Do not run a local web server.
 --auth_host_port [AUTH_HOST_PORT [AUTH_HOST_PORT ...]]
 Port web server should listen on.
 --logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
 Set the logging level of detail.
 -p [PROFILE [PROFILE ...]], --profile [PROFILE [PROFILE ...]]
 aws profiles. [default] by default.
 -n NAME, --name NAME spreadsheet name. [s3_report] by default.
 -g, --gspread create a google spreadsheet.
 -x, --xlsx create a xlsx spreadsheet.
 -c, --csv create a csv file.
 -s, --silent disable printing.

Note:A�Arguments –auth_host_name, -noauth_local_webserver, –auth_host_port and –loging_level are generated by the Google Spreadsheet implementation. A�

Generate a Report

If you want to generate a report in CSV, XLSX and Google Spreadsheet and if you want to print that report, type:

./s3-acl-viewer -gxc -p my_profile_1 my_profile_2

-g meansA�Upload the report on my Google Drive in the Google Spreadsheet format. You need to configure the API as explained above.

-x meansA�Create a .xlsx file (Microsoft Excel).

-c meansA�Create a standard .csv file.

-p my_profile_1 my_profile_2 meansA�Generate the report by analyzing that account.

The command will produce as standard output, with the Google Spreadsheet flag, with the Microsoft Excel flag, and with the CSV flag.

3 Replies to “Analyze Your AWS s3 Bucket Permission and Detect Security Problems”

  1. Thanks for the useful information on credit repair on your web-site. The thing I would offer as advice to people will be to give up a mentality they will buy at this moment and pay back later. As being a society most people tend to repeat this for many factors. This includes family vacations, furniture, plus items we really want to have. However, you must separate a person’s wants from the needs. When you’re working to fix your credit score you really have to make some trade-offs. For example you possibly can shop online to economize or you can click on second hand suppliers instead of highly-priced department stores to get clothing.

    Reply

  2. Its like you read my mind! You appear to know so much
    about this, like you wrote the book in it or something.
    I think that you can do with a few pics to drive the message
    home a bit, but instead of that, this is wonderful blog.
    A fantastic read. I will certainly be back.

    Reply

  3. Howdy I am so excited I found your site, I really found you by error,
    while I was browsing on Google for something else, Anyways I am here now and would just like to say thank you for a incredible post and a all round
    enjoyable blog (I also love the theme/design), I don’t have time to
    read it all at the minute but I have bookmarked it and also
    included your RSS feeds, so when I have time I will be back to read
    a great deal more, Please do keep up the fantastic b.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*