AWS, Cloud Computing

4 Mins Read

Evaluating Public and Cross-Account Access at Scale With AWS IAM Access Analyzer for Amazon S3

Voiced by Amazon Polly

Introduction

Organizations prioritize data security, often implementing the principle of least privilege access and conducting audits to ensure compliance. To streamline auditing, users seek simple tools that assess access control, addressing concerns about data accessibility and user permissions.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Overview

Amazon S3 provides various access controls, from broad measures to detailed restrictions. AWS IAM Access Analyzer aids in defining and adjusting permissions, identifying and fixing overly permissive access.

This blog guides you through installing and using Access Analyzer for Amazon S3, streamlining access correction, and ensuring compliance with least privilege principles.

Solution

The solution walkthrough section goes through the following steps:

  1. Navigate to AWS IAM Access Analyzer for Amazon S3
  2. Create an analyzer
  3. Viewing findings
  4. Reviewing the findings and remediation
    • Public buckets
    • Cross-account access

Step-by-Step Guide

Step 1: Navigate to AWS IAM Access Analyzer for Amazon S3

To access the AWS IAM Access Analyzer for Amazon S3, go to the left panel of the Amazon S3 UI. Note it’s region-specific, so set up a separate Analyzer for each AWS Region with buckets. If it’s your first time, enable Access Analyzer by clicking the AWS IAM Access Analyzer link in the notification.

step1

AWS IAM Access Analyzer for Amazon S3 page before you have enabled AWS IAM Access Analyzer for the Region

Step 2: Create an analyzer

In this section, we will construct an analyzer, name it, and specify the right zone of trust.

Select the Create Analyzer button, which will guide you to a wizard to create your analyzer.

step2

  1. On the Create Analyzer page, you can choose to change the Name of your analyzer and optionally add Tags.
  1. For the “Zone of Trust,” opt for “Current Account” over “Current Organization” to generate findings for cross-account and public access within your selected account. This ensures results are sent back to the Amazon S3 console for quick navigation and action.
  2. Select Create Analyzer.

step2b

Step 3: Viewing findings

Navigate to the AWS IAM Access Analyzer for Amazon S3 page to review findings, divided into two sections:

  • Public access buckets: These are accessible by anyone on the internet without valid AWS credentials. Access Analyzer scrutinizes bucket policies and ACLs to identify such resources.
  • Buckets with access from other AWS accounts: This section lists buckets configured for cross-account access. Access Analyzer evaluates bucket policies and ACLs to detect shared resources with other AWS accounts.

step3

Fig: Findings on the AWS IAM Access Analyzer for Amazon S3 page after you’ve created the analyzer

Step 4: Reviewing the findings and taking action

In this part, I address handling public and cross-account accessible buckets.

For public buckets: Click to select the bucket and instantly apply the “Block all public access” option, enforcing Amazon S3 Block Public Access. This prevents unauthorized access, requiring valid credentials. Verify in the bucket policy, if necessary, AWS IAM users or roles have appropriate access.

step4

Fig: Selecting a bucket from the list on the AWS IAM Access Analyzer for the Amazon S3 page

After you type “confirm” and select Confirm, this finding should disappear as public access is blocked.

step4b

Fig: Blocking all public access to an Amazon S3 bucket from the AWS IAM Access Analyzer for the Amazon S3 page

If you have a legitimate use case for public access to your bucket (for example, if it holds files you publish on the internet without user authentication), you must first pick the finding you want to save.

step4c

Selecting a finding that you wish to archive on the AWS IAM Access Analyzer for Amazon S3 page

To archive the finding, input “confirm” and click Confirm. The finding is not removed from the list of buckets with public access when archived, and it can be marked as active again later.

step4d

Fig: Archiving your findings on the AWS IAM Access Analyzer for Amazon S3 page

To host static websites, use Origin Access Control with Amazon CloudFront for HTTPS support and cost savings through caching while controlling public access to your bucket.

Regarding access across multiple accounts, like public buckets, you can archive or mark findings as active. Review cross-account access to determine if it’s granted via bucket policy or ACL. For example, check if each account listed in the policy requires access to relevant Amazon S3 resources.

step4e

After reviewing rules and ACLs, you might find unnecessary permissions. Delete or update ACLs or bucket policies accordingly. Once the finding is ensured that only intended cross-account access is achieved, archive it.

Conclusion

This post covered setting up AWS IAM Access Analyzer for Amazon S3 and managing findings. It discussed blocking public access, archiving findings, and evaluating cross-account access. AWS IAM Access Analyzer streamlines Amazon S3 resource audits, requiring setup only once per region.

Drop a query if you have any questions regarding AWS IAM Access Analyzer and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery PartnerAWS Microsoft Workload PartnersAmazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

FAQs

1. What is AWS IAM Access Analyzer for Amazon S3?

ANS: – AWS IAM Access Analyzer for Amazon S3 is a tool that evaluates access controls within Amazon S3 buckets, helping users identify and mitigate security risks associated with public and cross-account access configurations.

2. How does AWS IAM Access Analyzer assist in evaluating public access to Amazon S3 buckets?

ANS: – AWS IAM Access Analyzer examines bucket policies and access control lists (ACLs) to identify Amazon S3 buckets that are publicly accessible, allowing users to block public access and enforce stricter security measures if necessary.

WRITTEN BY Ayush Agarwal

Ayush Agarwal works as a Research Associate at CloudThat. He has excellent analytical thinking and carries an optimistic approach toward his life. He is having sound Knowledge of AWS Cloud Services, Infra setup, Security, WAR, and Migration. He is always keen to learn and adopt new technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!