S3 Bucket Audit Report using AWS PowerShell Script – Secure your S3 Buckets

 

If you are working on AWS environment and if you follow the news related to AWS, you will probably know there are many major data breach happened because of the human negligence, where vast amount of data kept without any protection like encryption, public access blocking. It is all because of human error. We create S3 bucket, and start using them, without realizing on how to keep them protected.

If we can’t control the human behavior, at least we can do a daily security scan on all the buckets and get the clear picture of how the buckets are configured after creation and how many of the S3 buckets are not following security best practice. If we can get this information, we could easily fix them. So, for this reason I have created one AWS PowerShell script to extract the S3 bucket audit report. This script can be executed anytime, and only need read-only permission.

This script can collect following information for all the S3 buckets.

  • Bucket Name
  • Region
  • Encryption Status
  • Log Bucket Name
  • Log Bucket Target Prefix
  • Versioning Status
  • MFA on Delete Status
  • Block Public Acls Status
  • Ignore Public Acls Status
  • Block Public Policy Status
  • Restrict Public Buckets Status
  • Bucket Policy Configuration Status
  • Bucket Policy

Please find the sample report generated by this script.

Script:

 

Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are our own personal opinions and do not represent our employer’s view in any way.

This article currently have 4,946 views

Saugata
Follow me

CC BY-ND 4.0 This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

4 comments

  1. Can it also cross reference every IAM policy in the same account, to work out what users/roles/groups have access to any part of the bucket via IAM policies applied to their IAM principle?

    That is what I’m looking for. Does your script do that?

    Please let me know.

    1. No, script can’t do it. You probably can add those features, but I don’t think it will be much helpful if you have many S3 buckets with lots of data on it. I would suggest to audit all the IAM Roles/Accounts including their shared or in-line policies, as you can easily understand what level of access someone have on S3 bucket by checking the IAM policy. If you are doing using PowerShell, you could use ConvertFrom-Json / ConvertTo-Json for reading JSON policy easily.

      Regards,
      Saugata D.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.