The official documentation describes complex configurations for S3 access control. A comprehensive check must review every policy which could have an effect on S3:
- Bucket Policy, per bucket
- ACL, per bucket
- Each managed policy, which is attached to a user, group or role
- Each inline policy, which is defined for a user, group or role.
Manually checking it in the AWS IAM console is tedious. There is a better way.
Automated Check with Elephantshop
We believe that checking your S3 access controls can and should be automated.
Elephantshop's dashboard displays compliance and risk score for each bucket.
Compliance checks are either pass or fail.
Risk score is shown as a bar chart so you can prioritize the review on the buckets which may need it most. It is highest for admin access and lowest for read access.
Access Overview per Bucket
You zoom in by clicking on a bucket. Immediately you see who has access to the bucket.
All sources are taken into account: Bucket policy, bucket ACL, managed policies and inline policies.
The bars assist you to follow through which access may carry unnecessary risk.