Evaluating Public and Cross-Account Access at Scale With AWS IAM Access Analyzer for Amazon S3

Introduction

Organizations prioritize data security, often implementing the principle of least privilege access and conducting audits to ensure compliance. To streamline auditing, users seek simple tools that assess access control, addressing concerns about data accessibility and user permissions.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Overview

Amazon S3 provides various access controls, from broad measures to detailed restrictions. AWS IAM Access Analyzer aids in defining and adjusting permissions, identifying and fixing overly permissive access.

This blog guides you through installing and using Access Analyzer for Amazon S3, streamlining access correction, and ensuring compliance with least privilege principles.

Solution

The solution walkthrough section goes through the following steps:

Navigate to AWS IAM Access Analyzer for Amazon S3
Create an analyzer
Viewing findings
Reviewing the findings and remediation
- Public buckets
- Cross-account access

Step-by-Step Guide

Step 1: Navigate to AWS IAM Access Analyzer for Amazon S3

To access the AWS IAM Access Analyzer for Amazon S3, go to the left panel of the Amazon S3 UI. Note it’s region-specific, so set up a separate Analyzer for each AWS Region with buckets. If it’s your first time, enable Access Analyzer by clicking the AWS IAM Access Analyzer link in the notification.

step1

AWS IAM Access Analyzer for Amazon S3 page before you have enabled AWS IAM Access Analyzer for the Region

Step 2: Create an analyzer

In this section, we will construct an analyzer, name it, and specify the right zone of trust.

Select the Create Analyzer button, which will guide you to a wizard to create your analyzer.

step2

On the Create Analyzer page, you can choose to change the Name of your analyzer and optionally add Tags.

For the “Zone of Trust,” opt for “Current Account” over “Current Organization” to generate findings for cross-account and public access within your selected account. This ensures results are sent back to the Amazon S3 console for quick navigation and action.
Select Create Analyzer.

step2b

Step 3: Viewing findings

Navigate to the AWS IAM Access Analyzer for Amazon S3 page to review findings, divided into two sections:

Public access buckets: These are accessible by anyone on the internet without valid AWS credentials. Access Analyzer scrutinizes bucket policies and ACLs to identify such resources.
Buckets with access from other AWS accounts: This section lists buckets configured for cross-account access. Access Analyzer evaluates bucket policies and ACLs to detect shared resources with other AWS accounts.

step3

Fig: Findings on the AWS IAM Access Analyzer for Amazon S3 page after you’ve created the analyzer

Step 4: Reviewing the findings and taking action

In this part, I address handling public and cross-account accessible buckets.

For public buckets: Click to select the bucket and instantly apply the “Block all public access” option, enforcing Amazon S3 Block Public Access. This prevents unauthorized access, requiring valid credentials. Verify in the bucket policy, if necessary, AWS IAM users or roles have appropriate access.

step4

Fig: Selecting a bucket from the list on the AWS IAM Access Analyzer for the Amazon S3 page

After you type “confirm” and select Confirm, this finding should disappear as public access is blocked.

step4b

Fig: Blocking all public access to an Amazon S3 bucket from the AWS IAM Access Analyzer for the Amazon S3 page

If you have a legitimate use case for public access to your bucket (for example, if it holds files you publish on the internet without user authentication), you must first pick the finding you want to save.

step4c

Selecting a finding that you wish to archive on the AWS IAM Access Analyzer for Amazon S3 page

To archive the finding, input “confirm” and click Confirm. The finding is not removed from the list of buckets with public access when archived, and it can be marked as active again later.

step4d

Fig: Archiving your findings on the AWS IAM Access Analyzer for Amazon S3 page

To host static websites, use Origin Access Control with Amazon CloudFront for HTTPS support and cost savings through caching while controlling public access to your bucket.

Regarding access across multiple accounts, like public buckets, you can archive or mark findings as active. Review cross-account access to determine if it’s granted via bucket policy or ACL. For example, check if each account listed in the policy requires access to relevant Amazon S3 resources.

step4e

After reviewing rules and ACLs, you might find unnecessary permissions. Delete or update ACLs or bucket policies accordingly. Once the finding is ensured that only intended cross-account access is achieved, archive it.

Conclusion

This post covered setting up AWS IAM Access Analyzer for Amazon S3 and managing findings. It discussed blocking public access, archiving findings, and evaluating cross-account access. AWS IAM Access Analyzer streamlines Amazon S3 resource audits, requiring setup only once per region.

Drop a query if you have any questions regarding AWS IAM Access Analyzer and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. What is AWS IAM Access Analyzer for Amazon S3?

ANS: – AWS IAM Access Analyzer for Amazon S3 is a tool that evaluates access controls within Amazon S3 buckets, helping users identify and mitigate security risks associated with public and cross-account access configurations.

2. How does AWS IAM Access Analyzer assist in evaluating public access to Amazon S3 buckets?

ANS: – AWS IAM Access Analyzer examines bucket policies and access control lists (ACLs) to identify Amazon S3 buckets that are publicly accessible, allowing users to block public access and enforce stricter security measures if necessary.

WRITTEN BY Ayush Agarwal

Ayush Agarwal works as a Subject Matter Expert at CloudThat. He is a certified AWS Solutions Architect Professional with expertise in designing and implementing scalable cloud infrastructure solutions. Ayush specializes in cloud architecture, infrastructure as code, and multi-cloud deployments, helping organizations optimize their cloud strategies and achieve operational excellence. With a deep understanding of AWS services and best practices, he guides teams in building robust, secure, and cost-effective cloud solutions. Ayush is passionate about emerging cloud technologies and continuously enhances his knowledge to stay at the forefront of cloud innovation. In his free time, he enjoys exploring new AWS services, experimenting with technologies, and trekking to discover new places and connect with nature.