I don't find a way to easily know if my AWS S3 buckets are public or private.
I was expecting to do list_bucket_response = s3client.list_buckets()
and directly know if the bucket is publicly accessible or not.
I've came across https://jgreenemi.com/how-to-check-if-your-s3-buckets-allow-public-read-acls/ but in my case when I list buckets I don't get an URI.
I also tried s3client.get_bucket_acl(Bucket=bucket_name)
without success.
You have to evaluate 3 different conditions to check whether a bucket is public or not:
According to this guide:
response = s3client.get_public_access_block(Bucket='bucket_name')
If both of the following are set to true, then the bucket is not public:
response['PublicAccessBlockConfiguration']['BlockPublicAcls']
response['PublicAccessBlockConfiguration']['BlockPublicPolicy']
get_bucket_policy_status
Retrieves the policy status for an Amazon S3 bucket, indicating whether the bucket is public
response = s3_client.get_bucket_policy_status(Bucket='bucket_name')
The bucket is public if the following is true:
response['PolicyStatus']['IsPublic']
response = s3client.get_bucket_acl(Bucket='bucket_name')
The bucket is public if the ACL grants any permissions to members of the predefined AllUsers or AuthenticatedUsers groups.
Grantee (response['Grants'][*]['Grantee']):
You can further evaluate object ACLs if required.
Actually get_bucket_policy_status will throw an exception if you turned off public access I found this piece of code works well
try:
access = s3.get_public_access_block(Bucket=bucket['Name'])
print (access)
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'NoSuchPublicAccessBlockConfiguration':
print('\t no Public Access')
else:
print("unexpected error: %s" % (e.response))
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With