How do I determine if an S3 bucket has public access using aws-cli [closed]

4
votes

I have a bucket that shows "public access" in the console, but when I attempt to read the aws s3api get-public-access-block, I get an error:

$ aws s3api get-public-access-block --bucket my-test-bucket-name
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:

abort-multipart-upload                   | complete-multipart-upload               
copy-object                              | create-bucket...

I am running aws-cli 1.15.83:

$ aws --version
aws-cli/1.15.83 Python/2.7.14 Linux/4.14.77-70.59.amzn1.x86_64 botocore/1.10.82
4
amazon-s3aws-cli

4 Answers

4
votes

You can use aws s3api get-bucket-policy-status to find out which buckets have been identified as having public access:

aws s3api get-bucket-policy-status --bucket my-test-bucket-name
{
    "PolicyStatus": {
        "IsPublic": true
    }
}

The get-public-access-block function is related to new features released last week [1], that help to protect future buckets from being mistakenly created with public access.

Both get-public-access-block and get-bucket-policy-status require a newer version of awscli than 1.15.83. The version I am using that has both these commands is 1.16.58.

[1] https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/

2
votes

The error you might be getting because of you might not have upgraded awscli.

You pip command to upgrade. 

pip install --upgrade awscli

The same error was getting at the start. It should upgrade and give the proper result.

1
votes
Bash# aws s3api get-public-access-block --bucket my-test-bucket-name
An error occurred (NoSuchPublicAccessBlockConfiguration) when calling the 
GetPublicAccessBlock operation: The public access block configuration was not found

^ This is what you'll see on a freshly created s3 bucket that's private by default, but has the potential to become public.

Bash# aws s3api put-public-access-block --bucket my-test-bucket-name --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

^ This is the command to Enable Public Access Block

Bash# aws s3api get-public-access-block --bucket my-test-bucket-name
{
  "PublicAccessBlockConfiguration": {
    "BlockPublicAcls": true,
    "IgnorePublicAcls": true,
    "BlockPublicPolicy": true,
    "RestrictPublicBuckets": true
  }
}

^ A subsequent run of the same get status command will now show this output, when block public access is enabled.

0
votes

there is a number of things to look for when you want to understand if a bucket is public or not and why.

# get account level settings
aws s3control get-public-access-block --account-id <your account id>

# get bucket level settings
aws s3api get-public-access-block --bucket <your bucket name>
  • [skip if RestrictPublicBuckets was true] you need to figure out policy status. If policy is public then it is probably the reason you see bucket marked as public.
aws s3api get-bucket-policy-status --bucket <your bucket name>
  • [skip if IgnorePublicAcls was true] check for public bucket ACL (read or write with grantee set to everyone or authenticated users). Note that if IgnorePublicAcls is true you won't see public ACL so if you decide to disable public access block for some reason you might want to check if ACL is public or not.
aws s3api get-bucket-acl --bucket <your bucket name>

Now you should be able to figure out what makes bucket public if you see it marked as public in console. However until you block public ACL using bucket or account public access block you still might have individual objects in your bucket publicly accessible as they could be shared using object level ACL and it can be challenging checking every single object in your bucket.

Another thing which could be hard to check is access points, you can make bucket public through one of attached access points policy, so even if your bucket policy is public you might want to check whether or not your bucket has attached access points and check policy status for each of them

# list access points attached to the bucket, note that you need to specify bucket region
aws s3control list-access-points --bucket <your bucket name> --account-id <your account id> --region <your bucket region>

# retrieve access point policy status
aws s3control get-access-point-policy-status --region <your bucket region> --account-id <your account id> --name <access point name>

The best way to ensure security of your bucket is to enable public access block settings for both policy and ACL.