ensean · October 14, 2025 05:33 · ensean · Oct 14, 2025
diff --git a/s3_access_check.sh b/s3_access_check.sh
 #!/bin/bash

 BUCKET_NAME="sample_bucket"
 PROFILE=""

 # Parse arguments
 while [[ $# -gt 0 ]]; do
    case $1 in
        --profile)
            PROFILE="$2"
            shift 2
            ;;
        *)
            BUCKET_NAME="$1"
            shift
            ;;
    esac
 done

 if [ -z "$PROFILE" ]; then
    echo "Usage: $0 [bucket_name] --profile <profile_name>"
    echo "Example: $0 sample_bucket --profile admin"
    exit 1
 fi

 echo "Checking S3 bucket access: $BUCKET_NAME"
 echo "Using profile: $PROFILE"
 echo "========================================"

 # Get all IAM users using the specified profile
 users=$(aws iam list-users --profile "$PROFILE" --query 'Users[].UserName' --output text 2>/dev/null)

 if [ $? -ne 0 ]; then
    echo "✗ Unable to list IAM users with profile '$PROFILE'"
    exit 1
 fi

 if [ -z "$users" ]; then
    echo "No IAM users found in the account"
    exit 0
 fi

 # Check each user's access to the S3 bucket
 for user in $users; do
    echo "Checking user: $user"
    
    # Get user's policies and check S3 permissions
    user_policies=$(aws iam list-attached-user-policies --user-name "$user" --profile "$PROFILE" --query 'AttachedPolicies[].PolicyArn' --output text 2>/dev/null)
    inline_policies=$(aws iam list-user-policies --user-name "$user" --profile "$PROFILE" --query 'PolicyNames' --output text 2>/dev/null)
    
    # Get user's groups
    groups=$(aws iam get-groups-for-user --user-name "$user" --profile "$PROFILE" --query 'Groups[].GroupName' --output text 2>/dev/null)
    
    has_s3_access=false
    
    # Function to check if policy grants access to specific bucket
    check_bucket_access() {
        local policy_content="$1"
        # Check for wildcard permissions
        if echo "$policy_content" | grep -q '"Resource".*"\*"'; then
            return 0
        fi
        # Check for specific bucket access
        if echo "$policy_content" | grep -q "arn:aws:s3:::$BUCKET_NAME\|arn:aws:s3:::$BUCKET_NAME/\*"; then
            return 0
        fi
        # Check for S3 full access
        if echo "$policy_content" | grep -q '"Action".*"s3:\*"'; then
            return 0
        fi
        return 1
    }

    # Check attached policies
    for policy_arn in $user_policies; do
        policy_doc=$(aws iam get-policy --policy-arn "$policy_arn" --profile "$PROFILE" --query 'Policy.DefaultVersionId' --output text 2>/dev/null)
        if [ $? -eq 0 ]; then
            policy_content=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id "$policy_doc" --profile "$PROFILE" --query 'PolicyVersion.Document' 2>/dev/null)
            if check_bucket_access "$policy_content"; then
                has_s3_access=true
                break
            fi
        fi
    done
    
    # Check inline policies
    if [ "$has_s3_access" = false ]; then
        for policy_name in $inline_policies; do
            policy_content=$(aws iam get-user-policy --user-name "$user" --policy-name "$policy_name" --profile "$PROFILE" --query 'PolicyDocument' 2>/dev/null)
            if check_bucket_access "$policy_content"; then
                has_s3_access=true
                break
            fi
        done
    fi
    
    # Check group policies
    if [ "$has_s3_access" = false ]; then
        for group in $groups; do
            group_policies=$(aws iam list-attached-group-policies --group-name "$group" --profile "$PROFILE" --query 'AttachedPolicies[].PolicyArn' --output text 2>/dev/null)
            for policy_arn in $group_policies; do
                policy_doc=$(aws iam get-policy --policy-arn "$policy_arn" --profile "$PROFILE" --query 'Policy.DefaultVersionId' --output text 2>/dev/null)
                if [ $? -eq 0 ]; then
                    policy_content=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id "$policy_doc" --profile "$PROFILE" --query 'PolicyVersion.Document' 2>/dev/null)
                    if check_bucket_access "$policy_content"; then
                        has_s3_access=true
                        break 2
                    fi
                fi
            done
        done
    fi
    
    # Get access keys for this user
    access_keys=$(aws iam list-access-keys --user-name "$user" --profile "$PROFILE" --query 'AccessKeyMetadata[?Status==`Active`].AccessKeyId' --output text 2>/dev/null)
    
    if [ -z "$access_keys" ]; then
        echo "  No active access keys"
    else
        for key_id in $access_keys; do
            if [ "$has_s3_access" = true ]; then
                echo "  ✓ Access Key $key_id: Likely has S3 access"
            else
                echo "  ✗ Access Key $key_id: No S3 permissions found"
            fi
        done
    fi
    echo ""
 done
	#!/bin/bash

	BUCKET_NAME="sample_bucket"
	PROFILE=""

	# Parse arguments
	while [[ $# -gt 0 ]]; do
	case $1 in
	--profile)
	PROFILE="$2"
	shift 2
	;;
	*)
	BUCKET_NAME="$1"
	shift
	;;
	esac
	done

	if [ -z "$PROFILE" ]; then
	echo "Usage: $0 [bucket_name] --profile <profile_name>"
	echo "Example: $0 sample_bucket --profile admin"
	exit 1
	fi

	echo "Checking S3 bucket access: $BUCKET_NAME"
	echo "Using profile: $PROFILE"
	echo "========================================"

	# Get all IAM users using the specified profile
	users=$(aws iam list-users --profile "$PROFILE" --query 'Users[].UserName' --output text 2>/dev/null)

	if [ $? -ne 0 ]; then
	echo "✗ Unable to list IAM users with profile '$PROFILE'"
	exit 1
	fi

	if [ -z "$users" ]; then
	echo "No IAM users found in the account"
	exit 0
	fi

	# Check each user's access to the S3 bucket
	for user in $users; do
	echo "Checking user: $user"

	# Get user's policies and check S3 permissions
	user_policies=$(aws iam list-attached-user-policies --user-name "$user" --profile "$PROFILE" --query 'AttachedPolicies[].PolicyArn' --output text 2>/dev/null)
	inline_policies=$(aws iam list-user-policies --user-name "$user" --profile "$PROFILE" --query 'PolicyNames' --output text 2>/dev/null)

	# Get user's groups
	groups=$(aws iam get-groups-for-user --user-name "$user" --profile "$PROFILE" --query 'Groups[].GroupName' --output text 2>/dev/null)

	has_s3_access=false

	# Function to check if policy grants access to specific bucket
	check_bucket_access() {
	local policy_content="$1"
	# Check for wildcard permissions
	if echo "$policy_content" \| grep -q '"Resource"."\"'; then
	return 0
	fi
	# Check for specific bucket access
	if echo "$policy_content" \| grep -q "arn:aws:s3:::$BUCKET_NAME\\|arn:aws:s3:::$BUCKET_NAME/\*"; then
	return 0
	fi
	# Check for S3 full access
	if echo "$policy_content" \| grep -q '"Action"."s3:\"'; then
	return 0
	fi
	return 1
	}

	# Check attached policies
	for policy_arn in $user_policies; do
	policy_doc=$(aws iam get-policy --policy-arn "$policy_arn" --profile "$PROFILE" --query 'Policy.DefaultVersionId' --output text 2>/dev/null)
	if [ $? -eq 0 ]; then
	policy_content=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id "$policy_doc" --profile "$PROFILE" --query 'PolicyVersion.Document' 2>/dev/null)
	if check_bucket_access "$policy_content"; then
	has_s3_access=true
	break
	fi
	fi
	done

	# Check inline policies
	if [ "$has_s3_access" = false ]; then
	for policy_name in $inline_policies; do
	policy_content=$(aws iam get-user-policy --user-name "$user" --policy-name "$policy_name" --profile "$PROFILE" --query 'PolicyDocument' 2>/dev/null)
	if check_bucket_access "$policy_content"; then
	has_s3_access=true
	break
	fi
	done
	fi

	# Check group policies
	if [ "$has_s3_access" = false ]; then
	for group in $groups; do
	group_policies=$(aws iam list-attached-group-policies --group-name "$group" --profile "$PROFILE" --query 'AttachedPolicies[].PolicyArn' --output text 2>/dev/null)
	for policy_arn in $group_policies; do
	policy_doc=$(aws iam get-policy --policy-arn "$policy_arn" --profile "$PROFILE" --query 'Policy.DefaultVersionId' --output text 2>/dev/null)
	if [ $? -eq 0 ]; then
	policy_content=$(aws iam get-policy-version --policy-arn "$policy_arn" --version-id "$policy_doc" --profile "$PROFILE" --query 'PolicyVersion.Document' 2>/dev/null)
	if check_bucket_access "$policy_content"; then
	has_s3_access=true
	break 2
	fi
	fi
	done
	done
	fi

	# Get access keys for this user
	access_keys=$(aws iam list-access-keys --user-name "$user" --profile "$PROFILE" --query 'AccessKeyMetadata[?Status==`Active`].AccessKeyId' --output text 2>/dev/null)

	if [ -z "$access_keys" ]; then
	echo " No active access keys"
	else
	for key_id in $access_keys; do
	if [ "$has_s3_access" = true ]; then
	echo " ✓ Access Key $key_id: Likely has S3 access"
	else
	echo " ✗ Access Key $key_id: No S3 permissions found"
	fi
	done
	fi
	echo ""
	done