Auditing AWS S3 Bucket Permissions with S3 Inspector

Auditing AWS S3 Bucket Permissions with S3 Inspector

Misconfigured S3 buckets are a common security risk. If your cloud environment stores sensitive data in S3, it’s critical to ensure no buckets are unintentionally public. S3 Inspector is a lightweight tool that helps you scan for public access and generate a clear, actionable report.

It works across Linux, macOS, and Windows, and supports both Python 2.7 and 3. You can also deploy it as an AWS Lambda function.

What S3 Inspector Does

When you run S3 Inspector, it checks all buckets in your account and provides:

• A public/private status indicator for each bucket
  
• A breakdown of permissions for any bucket marked public
  
• A list of accessible URLs (if public)
  

This gives you a quick view of potential exposure and access risks across your S3 environment.

Getting Started: IAM Setup

Option 1: Create a New IAM User

1. Open the IAM console
   
2. Click Users → Add user
   
3. Choose a username and check Programmatic access
   
4. Click Next: Permissions
   
5. Attach the AmazonS3ReadOnlyAccess policy
   
6. Create the user and copy the Access key ID and Secret access key
   
7. Create a ~/.aws/credentials file with the following:
   

ini

CopyEdit

[default]

aws_access_key_id = YOUR_ACCESS_KEY

aws_secret_access_key = YOUR_SECRET_KEY

Option 2: Use an Existing IAM Profile

If you already have a profile in ~/.aws/credentials, you can run the script with that:

bash

CopyEdit

python s3inspector.py

When prompted:
Enter your AWS profile name [default]:
Use default or enter your specific profile name.

Running S3 Inspector

To execute the scan:

bash

CopyEdit

python s3inspector.py

You’ll receive a report listing each bucket’s public access status and related details.

Running S3 Inspector as a Lambda Function

You can also deploy S3 Inspector as a Lambda function and automate regular checks.

Step 1: Create an SNS Topic

1. Open the SNS console
   
2. Click Topics → Create topic
   
3. Set a name and description
   
4. Create a subscription with Email protocol
   
5. Confirm the subscription via the email you receive
   
6. Copy the topic ARN and set it in the SNS_RESOURCE_ARN variable in the s3inspector.py script
   

Step 2: Create the Lambda Function

1. Open the Lambda console
   
2. Choose Create function → Author from scratch
   
3. Name the function s3inspector
   
4. Assign a role with Lambda execution and S3 read permissions
   
5. In the configuration:
   
   • Set runtime to Python 2.7
     
   • Set the handler to s3inspector.lambda_handler
     
   • Paste the script contents into the editor
     
   • Set timeout to at least 1 minute
     
6. Save and test with an empty event or configure a trigger
   

Final Thoughts

S3 Inspector is a simple, effective way to scan for public access in your AWS environment. Whether used as a one-off script or deployed as part of a continuous audit via Lambda, it helps teams proactively secure data stored in Amazon S3.

—

Need help with AWS security audits or IAM best practices? Talk to AVM Consulting