Against the Pain of Checking S3 Access Control

The official documentation describes complex configurations for S3 access control. A comprehensive check must review every policy which could have an effect on S3:

  1. Bucket Policy, per bucket
  2. ACL, per bucket
  3. Each managed policy, which is attached to a user, group or role
  4. Each inline policy, which is defined for a user, group or role.

Manually checking it in the AWS IAM console is tedious. There is a better way.

Automated Check with Elephantshop

We believe that checking your S3 access controls can and should be automated.

Elephantshop's dashboard displays compliance and risk score for each bucket.

Compliance checks are either pass or fail.

Risk score is shown as a bar chart so you can prioritize the review on the buckets which may need it most. It is highest for admin access and lowest for read access.

Access Overview per Bucket

You zoom in by clicking on a bucket. Immediately you see who has access to the bucket.

All sources are taken into account: Bucket policy, bucket ACL, managed policies and inline policies.

The bars assist you to follow through which access may carry unnecessary risk.


Want to try it yourself?

Download our free desktop application

Or login/register for our free service