Skip to content

Amazon S3

AWS S3 uses the AWS IAM authorization system to manage access to S3 buckets. AWS IAM implements both role-based and attribute-based access control approaches. AWS IAM lets you set allow or deny policies for actions taken on resources by principals (users). These are called identity-based policies.

There are several types of principals in AWS IAM, including IAM user, IAM role, federated user, AWS service, or an anonymous principal. Principals, in the same account or not, may assume IAM roles to gain permissions to actions on resources. To allow a principal to assume an IAM role, a trust relationship is defined on the role which specifies which principals and under what conditions are allowed to assume the role.

In addition to the identity-based policies described above, an S3 bucket may also have a policy attached to it called a resource-based policy. This policy can allow principals to perform actions on the S3 bucket directly.

universal-data-permissions-scanner simulates the AWS policy evaluation process to determine the final set of allowed actions granted to principals on S3 buckets.

Setup Access to Scan S3 Buckets in an AWS Account

To enable universal-data-permissions-scanner to scan the AWS IAM system for S3 bucket permissions, perform the following steps: 1. For each AWS account, create a role to be assumed by the udps 2. Attached the following policy to the new role: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SatoriAnalyzer",
            "Effect": "Allow",
            "Action": [
                "iam:List*",
                "iam:Get*",
                "s3:ListAccessPointsForObjectLambda",
                "s3:GetAccessPoint",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketTagging",
                "s3:GetAccessPointPolicyForObjectLambda",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetObjectVersionAttributes",
                "s3:GetBucketPolicy",
                "s3:GetObjectAcl",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetAccessPointPolicyStatus",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetMultiRegionAccessPointPolicyStatus",
                "s3:GetBucketPolicyStatus",
                "s3:GetObjectRetention",
                "s3:GetMultiRegionAccessPointPolicy",
                "s3:GetBucketWebsite",
                "s3:GetAccessPointPolicyStatusForObjectLambda",
                "s3:ListAccessPoints",
                "s3:GetMultiRegionAccessPoint",
                "s3:GetObjectAttributes",
                "s3:ListMultiRegionAccessPoints",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetObjectLegalHold",
                "s3:GetAccessPointConfigurationForObjectLambda",
                "s3:DescribeMultiRegionAccessPointOperation",
                "s3:GetObject",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetAccessPointPolicy",
                "s3:GetObjectVersion",
                "sso:ListAccountAssignments",
                "sso:ListAccountsForProvisionedPermissionSet",
                "sso:ListInstances",
                "sso:ListPermissionSets",
                "sso:DescribePermissionSet",
                "identitystore:ListUsers",
                "identitystore:ListGroups",
                "identitystore:ListGroupMemberships"
            ],
            "Resource": "*"
        }
    ]
}
3. Add the following statement to the role’s Trust Relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "<ARN-TRUSTED-PRINCIPAL>"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
ARN-TRUSTED-PRINCIPAL is the AWS ARN of the authenticated principal, such as an IAM or federated user which will be running universal-data-permissions-scanner.

Scanning S3 Buckets in an AWS Account

universal-data-permissions-scanner will assume the role arn specified in the --target-account-params parameter to scan the permissions of S3 buckets located in the role's AWS account . Use the optional --additional-account-params parameter to specify additional AWS accounts which may contain information about principals. For example, it's common to organize AWS accounts hierarchically, and manage users in a root account, allowing them to assume roles in sub-accounts.

AWS-ACCOUNT-ASSUME-ROLE-PARAMS is string parameter with format: "role_arn: <ROLE-ARN>"

udps aws-s3 \
    --target-account-params <AWS-ACCOUNT-ASSUME-ROLE-PARAMS>
    [--additional-account-params  <AWS-ACCOUNT-ASSUME-ROLE-PARAMS>]

Known Limitations

The following AWS features are not currently supported by universal-data-permissions-scanner:

  • Policy evaluation
    • AWS organization policies
    • Principal permissions boundary
  • Policy elements
    • Placeholders like {"aws:username}"
    • Session tags
    • Conditions
  • S3 bucket
    • ACL policy
    • Public access settings
    • Cross-origin resource sharing settings
  • Principal resolving from:
    • SAML providers
    • Web identity providers
    • OIDC providers
    • Canonical ID in S3 bucket policy