Who has access to my S3 bucket and its objects?

Question

How can I easily and accurately evaluate access permissions via the Amazon S3 management console or from boto3, to ensure that I am the only person who has access to my bucket and all of its objects?

I am aware that access to my bucket/objects can be given either through a Bucket Policy or ACL. However, ACL access can be given per object, so it is not clear to me how to fully review who has access, even to a single object in the bucket.

Answer 1

It's not easy.

First, let's review the ways that permission might be granted:

• Access Control Lists (ACLs) are object-level permissions that can grant public access, or access to a specific user. They are a remnant of the early way that Amazon S3 worked and can be annoying to manage. In fact, a new feature was recently made available that allows ACLs to be disabled -- and that's what AWS recommends!

• Bucket Policies allow permissions to be assigned to a bucket, or a path within a bucket. This is a great way to make a bucket public and the only way to provide cross-account access to a bucket.
• IAM Policies can be applied to an IAM User, IAM Group or IAM Role. These policies can grant permission to access Amazon S3 resources within the same account. This is a great way to assign permissions to specific IAM Users rather than doing it via a Bucket Policy.

The Amazon S3 console does allow you to Review bucket access using Access Analyzer for S3:

Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. Armed with this knowledge, you can take immediate and precise corrective action to restore your bucket access to what you intended.

However, it won't give you a full list of who can access which buckets.

You want to "ensure that you are the only one who has access to the bucket" -- this would require checking the Bucket Policy and the permissions of all IAM Users. There's no short-cut for doing this.

Answer 2

From petrch's answer

Otherwise - yes, it is really hard to make sure there is no policy in the account which would not allow any user in your account to get access to something they should not have access to

At least, it will be simpler now.
From "Controlling ownership of objects and disabling ACLs for your bucket":

Starting in April 2023, Amazon S3 will change the default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets.

For new buckets created after this update,

• all S3 Block Public Access settings will be enabled, and
• S3 access control lists (ACLs) will be disabled.

These defaults are the recommended best practices for securing data in Amazon S3.
You can adjust these settings after creating your bucket.

For more information, see Default settings for new S3 buckets FAQ and Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog.

Answer 3

I think the other answer answers most of the options in a very good detail. But usually each bucket contains either public data, non-public data or sensitive data. For any bucket which should not contain public data just disable it and the CloudFormation

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-bucket.html

mentions this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html for restricting public access.

Additionally the bucket supports encryption, when you allow KMS encryption you can also control access to data via the KMS key. That is something worth to consider for sensitive data.

Otherwise - yes, it is really hard to make sure there is no policy in the account which would not allow any user in your account to get access to something they should not have access to. One way how to do it may be to just control who can modify the the IAM policies (the iam:* permissions). There are also automatic tools to control policies and find vulnerabilities. For just one purpose it is not that hard to create one too.

Even if the bucket is completely private, the objects can be made public by other means - typically via CloudFront.