s3_objects_check

The s3_objects_check tool addresses the complex challenge of assessing effective S3 object permissions, particularly in identifying publicly accessible and authenticated-user-accessible objects. This is crucial due to the intricate nature of IAM resource policies and ACL combinations, which can make manual assessments cumbersome.

Technically, the tool employs a whitebox evaluation approach, utilizing two distinct AWS profiles: WHITEBOX_PROFILE and BLACKBOX_PROFILE. The WHITEBOX_PROFILE must have read access to the S3 service to list buckets and objects, while the BLACKBOX_PROFILE is used to test for permissions accessible to the AuthenticatedUsers group, and it should not have access to the S3 buckets or objects to avoid false positives. The tool leverages asyncio and aiobotocore for efficient and fast execution.

Operationally, the tool requires careful configuration of these profiles to ensure accurate results. It runs asynchronously, which helps in quickly scanning large numbers of objects. However, the accuracy of the results depends on the correct setup of the profiles, and any misconfiguration can lead to false positives or negatives.

Specifically, the tool provides detailed logs and warnings when it identifies objects with overly permissive access, such as those allowing "AllUsers" or "AuthenticatedUsers". It operates with sub-minute granularity for most checks, making it suitable for real-time monitoring of S3 object permissions. However, the tool does not handle historical analysis or long-term retention of scan results, which might be a limitation in some use cases.