- 最新
- 最多得票
- 最多評論
Good question!
The most out of the box method would be Trusted Advisor comes with a security check for S3 Buckets "Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user. Bucket permissions that grant List access can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. Bucket permissions that grant Upload/Delete access create potential security vulnerabilities by allowing users that to add, modify, or remove items in a bucket."
Trusted Advisor: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
This is typically done via the S3 Block Public Access controls as listed above. However if you're looking for a more granular level on the objects themselves, you could iterate through on the objects to GetObjectACL. To be truly public, this would have to work in conjunction with the S3 Block Public Access.
On a side note, AWS recommends not using ACLs in general. Check out this newer feature of Object Ownership: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html.
Maybe you should try something like that:
#!/bin/bash
my_buckets=$(aws s3 ls | awk '{print $3}')
for bucket in $my_buckets; do
for key in $(aws s3 ls --recursive s3://$bucket/ | awk '{print $4}'); do
object_acl=$(aws s3api get-object-acl --bucket $bucket --key $key)
result_found=$(echo $object_acl | grep "AllUsers")
if [ ! -z "$result_found" ] ; then
echo $bucket
echo $key;
echo $object_acl;
fi;
done
done
相關內容
- AWS 官方已更新 2 年前