Evaluating Public and Cross-Account Access at Scale With AWS IAM Access Analyzer for Amazon S3

Introduction

Organizations prioritize data security, often implementing the principle of least privilege access and conducting audits to ensure compliance. To streamline auditing, users seek simple tools that assess access control, addressing concerns about data accessibility and user permissions.

Overview

This blog guides you through installing and using Access Analyzer for Amazon S3, streamlining access correction, and ensuring compliance with least privilege principles.

Solution

The solution walkthrough section goes through the following steps:

1. Navigate to AWS IAM Access Analyzer for Amazon S3
2. Create an analyzer
3. Viewing findings
4. Reviewing the findings and remediation
   • Public buckets
   • Cross-account access

Step-by-Step Guide

Step 1: Navigate to AWS IAM Access Analyzer for Amazon S3

To access the AWS IAM Access Analyzer for Amazon S3, go to the left panel of the Amazon S3 UI. Note it’s region-specific, so set up a separate Analyzer for each AWS Region with buckets. If it’s your first time, enable Access Analyzer by clicking the AWS IAM Access Analyzer link in the notification.

AWS IAM Access Analyzer for Amazon S3 page before you have enabled AWS IAM Access Analyzer for the Region

Step 2: Create an analyzer

In this section, we will construct an analyzer, name it, and specify the right zone of trust.

Select the Create Analyzer button, which will guide you to a wizard to create your analyzer.

1. On the Create Analyzer page, you can choose to change the Name of your analyzer and optionally add Tags.

2. For the “Zone of Trust,” opt for “Current Account” over “Current Organization” to generate findings for cross-account and public access within your selected account. This ensures results are sent back to the Amazon S3 console for quick navigation and action.
3. Select Create Analyzer.

Step 3: Viewing findings

Navigate to the AWS IAM Access Analyzer for Amazon S3 page to review findings, divided into two sections:

• Public access buckets: These are accessible by anyone on the internet without valid AWS credentials. Access Analyzer scrutinizes bucket policies and ACLs to identify such resources.
• Buckets with access from other AWS accounts: This section lists buckets configured for cross-account access. Access Analyzer evaluates bucket policies and ACLs to detect shared resources with other AWS accounts.

Fig: Findings on the AWS IAM Access Analyzer for Amazon S3 page after you’ve created the analyzer

Step 4: Reviewing the findings and taking action

In this part, I address handling public and cross-account accessible buckets.

For public buckets: Click to select the bucket and instantly apply the “Block all public access” option, enforcing Amazon S3 Block Public Access. This prevents unauthorized access, requiring valid credentials. Verify in the bucket policy, if necessary, AWS IAM users or roles have appropriate access.

Fig: Selecting a bucket from the list on the AWS IAM Access Analyzer for the Amazon S3 page

After you type “confirm” and select Confirm, this finding should disappear as public access is blocked.

Fig: Blocking all public access to an Amazon S3 bucket from the AWS IAM Access Analyzer for the Amazon S3 page

If you have a legitimate use case for public access to your bucket (for example, if it holds files you publish on the internet without user authentication), you must first pick the finding you want to save.

Selecting a finding that you wish to archive on the AWS IAM Access Analyzer for Amazon S3 page

To archive the finding, input “confirm” and click Confirm. The finding is not removed from the list of buckets with public access when archived, and it can be marked as active again later.

Fig: Archiving your findings on the AWS IAM Access Analyzer for Amazon S3 page

To host static websites, use Origin Access Control with Amazon CloudFront for HTTPS support and cost savings through caching while controlling public access to your bucket.

Regarding access across multiple accounts, like public buckets, you can archive or mark findings as active. Review cross-account access to determine if it’s granted via bucket policy or ACL. For example, check if each account listed in the policy requires access to relevant Amazon S3 resources.

After reviewing rules and ACLs, you might find unnecessary permissions. Delete or update ACLs or bucket policies accordingly. Once the finding is ensured that only intended cross-account access is achieved, archive it.

Conclusion

This post covered setting up AWS IAM Access Analyzer for Amazon S3 and managing findings. It discussed blocking public access, archiving findings, and evaluating cross-account access. AWS IAM Access Analyzer streamlines Amazon S3 resource audits, requiring setup only once per region.

Drop a query if you have any questions regarding AWS IAM Access Analyzer and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.