New
Join our webinar! Building a customizable and extensible cloud asset inventory at scale
AWS
Tutorials

Finding Potentially Public AWS S3 Buckets

Kevin Rheinheimer

Kevin Rheinheimer

If you are utilizing AWS S3 in your cloud environments, you may want to know which buckets are not configured correctly to block public access. Use CloudQuery to export your data from AWS to Postgres and ensure that the aws_s3_buckets and aws_s3_bucket_public_access_blocks tables are included in your AWS source configuration. Once you have synced this data to your Postgres database, here’s how to view any potentially publicly accessible S3 buckets:
select
  b.account_id,
  b.arn,
  b.name as bucket_name,
 b.creation_date,
 b.region as bucket_region,
 b.tags,
  CASE when
 -- check that all public access block configurations are true
 ((pab.public_access_block_configuration -> 'BlockPublicAcls')::boolean
    or (pab.public_access_block_configuration -> 'IgnorePublicAcls')::boolean
    or (pab.public_access_block_configuration -> 'BlockPublicPolicy')::boolean
    or (pab.public_access_block_configuration -> 'RestrictPublicBuckets')::boolean)
 -- check if s3 bucket policy status 'IsPublic' is set to false
 or b.policy_status ->> 'IsPublic' = 'false'
 THEN true ELSE false
    END AS public_access_blocked
FROM
    aws_s3_buckets b
LEFT JOIN
    aws_s3_bucket_public_access_blocks pab on pab._cq_parent_id = b._cq_id
This query will yield a result that looks like this:
account_idarnbucket_namecreation_datebucket_regiontagspublic_access_blocked
1234567890arn:aws:s3:::test_bucket_1test_bucket_12024-03-01 15:34:05us-east-1{"tag":"test-value"}true
1234567890arn:aws:s3:::test_bucket_2test_bucket_22023-05-03 11:42:07us-east-1{"tag":"test-value"}false
This query leverages PostgreSQL built-in JSON functions to parse the AWS configuration fields which are stored as jsonb data types. It first checks that all public access blocks are configured properly and then checks that the S3 bucket policy is not public. If all public access blocks are configured then the query will return true in the public_access_blocked field, meaning you can target only those that return false when reviewing your security configurations.
You can also use this query to search for specific S3 buckets by tag, to do that we will keep the above query and after the final line we can add a WHERE clause to target specifically tagged buckets. For example, let’s say you want to grab all buckets tagged with a specific EUID, you can use the following query:
select
  b.account_id,
  b.arn,
  b.name as bucket_name,
 b.creation_date,
 b.region as bucket_region,
 b.tags,
  CASE when
 -- check that all public access block configurations are true
 ((pab.public_access_block_configuration -> 'BlockPublicAcls')::boolean
    or (pab.public_access_block_configuration -> 'IgnorePublicAcls')::boolean
    or (pab.public_access_block_configuration -> 'BlockPublicPolicy')::boolean
    or (pab.public_access_block_configuration -> 'RestrictPublicBuckets')::boolean)
 -- check if s3 bucket policy status 'IsPublic' is set to false
 or b.policy_status ->> 'IsPublic' = 'false'
 THEN false ELSE true
    END AS public_access_blocked
FROM
    aws_s3_buckets b
LEFT JOIN
    aws_s3_bucket_public_access_blocks pab on pab._cq_parent_id = b._cq_id
WHERE
  b.tags ->> 'EUID' = 'EUID1'
This query will yield a slightly different result, note the EUID in the tags field:
account_idarnbucket_namecreation_datebucket_regiontagspublic_access_blocked
7890123456arn:aws:s3:::euid_bucket_1euid_bucket_12024-03-01 15:34:05eu-central-1{"EUID":"EUID1"}true
Ready to dive deeper? Contact CloudQuery here or join the CloudQuery Community to connect with other users and experts. You can also try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Kevin Rheinheimer

Written by Kevin Rheinheimer

Kevin is a senior data engineer at CloudQuery, specializing in cloud data infrastructure and application development.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.