Tool to check AWS S3 bucket permissions.

Compatible with Linux, MacOS and Windows, python 2.7 and 3. May be used as AWS Lambda function.

What it does

• Checks all your buckets for public access
• For every bucket gives you the report with:
  • Indicator if your bucket is public or not
  • Permissions for your bucket if it is public
  • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public

Prerequisites

Create a new IAM User

• Create IAM user with AmazonS3ReadOnly policy attached
  • Go to IAM (https://console.aws.amazon.com/iam/home)
  • Click "Users" on the left hand side menu
  • Click "Add user"
  • Fill in user name and check Programmatic access
  • Click "Next: Permissions"
  • Click "Attach existing policies directly"
  • Check AmazonS3ReadOnly policy
  • Click "Next: Review"
  • Click "Create user"
  • Copy the credentials
    • Access key ID
    • Secret access key
• Create ~/.aws/credentials file or paste the credentials in when you run the script
  • Put the credentials you copied in the previous step here in this format:

[default]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>

Use existing configured IAM User

• use your existing credentials or profile if you have a file ~/.aws/credentials like this:

[default]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>
[my_profile_name]
aws_access_key_id = <your access key ID goes here>
aws_secret_access_key = <your secret_access_key goes here>

• and pass the profile name or leave blank for default when requested:

python s3inspector.py
Enter your AWS profile name [default]:

Usage

python s3inspector.py

Report example

Usage as Lambda function

Lambda function to perform the same check as above.

Lambda Setup & Prerequisites

Rather than a IAM user, we need a role that permits lambda execution as well as read-only access to S3 buckets and the ability to publish to SNS. First we need to create an SNS endpoint.

• Go to the SNS console (https://console.aws.amazon.com/sns/v2/home)
• Select along the sidebar 'Topics'
• In the topics screen, click 'Create New Topic'
• In the popup, add the name and description
• Click 'Create Topic'
• When the topic finishes creation, enter the topic by clicking on the ARN
• Click 'Create Subscription'
• In the popup, change the protocol to 'EMail'
• Enter the email address of whoever will be sent the reports in the 'Endpoint'
• Click 'Create subscription'
• Select the subscription and click 'Request confirmations'
• In the receivers email client, confirm the subscription via the link provided.
• Copy arn of created topic(can be viewed under 'Topic details') and set this value to SNS_RESOURCE_ARN variable in s3inspector.py.

Once done we can now create the lambda function

• Go to the lambda console (https://console.aws.amazon.com/lambda/home)
• Click on 'Create Function'
• Click on 'Author from Scratch'
• Give the function the name 's3inspector' (or the name of the file containing the function)
• Apply the role created above
• Click 'Create Function'
• On the configuration page
  • Change the Runtime to 'Python 2.7'
  • Change the Handler to 's3inspector.lambda_handler'
• Copy & Paste the contents of the lambda function file into the onscreen editor & click 'Save'
• Increase the timeout of the function to something suitable for the number of S3 buckets in the account (we tested with 1 minute and 128Mb)

You can now run the function with an empty test event, or configure a trigger for the function.