S3 - Check Public Access Configuration
Description
This playbook describes how to execute Tamnoon S3 automation to find which s3 buckets have public access.
The execution is based on AWS credentials configuration based on the next fallbacks:
- If AWS profile or aws access key and secret were given, use it as an AWS credentials source.
- If no profile, use as environment variable credentials for aws.
- If not environmental variables provided, use the current ./~aws configuration.
After authentication via AWS API, the script execution will run on the same AWS account of those credentials defined in fallbacks 1-3 (see above)
This automation investigates policies and ACLs of S3 buckets that can allow public access to the buckets.
- Buckets are considered public if they have some policy that allows action s3:ListBucket or s3:* to Principal * and having resource as the bucketName. For more details on policies, follow this link.
Similarly, if buckets have similar policy but only with effect Deny, then irrespective of other policies, it will be denied access by public. - It is possible for buckets to be public if they have some ACLs that allows for READ or FULL_CONTROL permission given to Everyone (https://acs.amazonaws.com/groups/global/AllUsers). For more details on ACLs, follow this link.
- Buckets that are public can be blocked for public access by Bucket Level Block Public Access and Account Level Block Public Access.
- Block Public Access (BPA) is made of four values, out of which, two values are used for blocking public access of s3 buckets:
- IgnorePublicAcls – ignores all the ACLs that are defined on the bucket and blocks the public access to the bucket, if it has been allowed via ACLs.
- RestrictPublicBuckets – ignores all policies that are defined on the bucket and blocks the public access to the bucket, if it has been allowed via policies. It additionally reduces the previous public access – that is if any account could access this bucket previously, it will now allow to the accounts only from same organization as that of bucket owner.
Bucket level BPA will take precedence for Account level first, then Bucket level.
- Block Public Access (BPA) is made of four values, out of which, two values are used for blocking public access of s3 buckets:
- For more details of BlockPublicAccess follow this link.
This automation investigates both bucket policies and ACLs to detect public accessibility. Public buckets are identified by permissions like s3:ListBucket or s3:* granted to Principal *, or by ACLs allowing READ or FULL_CONTROL to “AllUsers.”
On top of that, it checks whether S3 block public access settings are in place at both the bucket and account levels. Using this playbook is an essential step in tightening security and verifying exposure risks. As a complementary best practice, users should also enable S3 server access logging to track access and requests for audit and compliance purposes.
Severity Level
High – Publicly accessible S3 buckets pose serious security risks, including data leaks and unauthorized access. Immediate action is recommended if misconfigurations are found.
When to use?
Use this playbook to audit S3 bucket configurations for public access exposure. It’s ideal during security reviews, compliance audits, or as part of a continuous cloud posture assessment.
Prerequisites
- AWS credentials defined with following permissions.
Permission | Required for Operation |
s3:GetBucketPolicy | GET bucket policy |
s3:GetBucketAcl | GET bucket ACL |
s3:GetBucketPolicyStatus | GET bucket policy status |
s3:GetBucketPublicAccessBlock | GET bucket Block Public Access settings |
s3:GetAccountPublicAccessBlock | GET account Block Public Access settings |
2. Python v3.9 and above + boto3 package installed ( pip install boto3)
Impact Investigation steps:
1. Clone the AWS folder from Tamnoon-Public-Playbooks
git clone --branch main --single-branch --no-checkout git@github.com:tamnoon-io/Tamnoon-Service.git
git sparse-checkout set TamnoonPlaybooks/AWS
git checkout
2. Execute the automation from AWS directory.
i. Using CLI parameters:
python3 -m Automations.S3Actions.S3Helper --profile <aws_profile> --action check_public_access --bucketNames <comma separated list of bucket name(s) or all>
or
python3 -m Automations.S3Actions.S3Helper --awsAccessKey <aws_access_key> --awsSecret <aws_secret> --action check_public_access --bucketNames <comma separated list of bucket names>
This automation does not require any action params.
Frequently Asked Questions
What does this playbook check for in S3 buckets?
The playbook checks S3 bucket policies and ACLs for any configuration that allows public access, such as permissions granted to Principal * or ACLs with global access rights like READ or FULL_CONTROL for “AllUsers.”
How are buckets identified as publicly accessible?
Buckets are flagged as public if they have policies allowing s3:ListBucket or s3:* to everyone, or if their ACLs grant permissions to the AllUsers group. Deny policies override Allow and prevent exposure even if such conditions exist.
What AWS permissions are required to run this playbook?
You’ll need permissions like s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetBucketPolicyStatus, and access to both bucket-level and account-level public access configurations.
How does the playbook evaluate S3 block public access settings?
The script queries both account-level and bucket-level S3 block public access settings, such as IgnorePublicAcls and RestrictPublicBuckets, to determine if public access is effectively restricted regardless of existing policies or ACLs.
Can I use this playbook to check all buckets at once?
Yes. You can run the script with –bucketNames all to scan every bucket in the authenticated AWS account for public access risks and permission misconfigurations.
Should I enable S3 server access logging after running this check?
Yes, it’s recommended to enable S3 server access logging for any sensitive or critical buckets. Logging tracks who accessed what and when, providing visibility for auditing and security monitoring.
