Created
April 29, 2025 12:53
-
-
Save uurtech/198f56c337dc9159c2df1f5873076d9a to your computer and use it in GitHub Desktop.
scan ACL for buckets in the region
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Set the AWS region | |
| REGION="us-west-2" | |
| echo "Listing S3 buckets in region $REGION and their permissions..." | |
| # Get buckets only in the specified region | |
| echo "Finding buckets in region $REGION..." | |
| BUCKETS=$(aws s3api list-buckets --region $REGION --query "Buckets[].Name" --output text) | |
| # Process the buckets filtering by region in a single command | |
| echo "Analyzing buckets in region $REGION..." | |
| for BUCKET in $BUCKETS; do | |
| # Get the bucket's region using get-bucket-location | |
| BUCKET_REGION=$(aws s3api get-bucket-location --region $REGION --bucket $BUCKET --query "LocationConstraint" --output text) | |
| # Handle us-east-1 case (returns 'None') | |
| if [ "$BUCKET_REGION" == "None" ]; then | |
| BUCKET_REGION="us-east-1" | |
| fi | |
| # Skip if bucket is not in our target region | |
| if [ "$BUCKET_REGION" != "$REGION" ]; then | |
| continue | |
| fi | |
| echo "==================== $BUCKET ====================" | |
| # Get ACL info | |
| ACL_INFO=$(aws s3api get-bucket-acl --region $REGION --bucket $BUCKET) | |
| # Extract owner info | |
| OWNER=$(echo $ACL_INFO | jq -r '.Owner.DisplayName // .Owner.ID') | |
| echo "Owner: $OWNER" | |
| # Process grants | |
| echo "Permissions:" | |
| echo $ACL_INFO | jq -r '.Grants[] | " " + (.Grantee.DisplayName // .Grantee.URI // .Grantee.ID // "Unknown") + " => " + .Permission' | |
| # Detailed public access check | |
| echo "Public Access Analysis:" | |
| # Check for AllUsers (public to everyone) | |
| PUBLIC_ALL=$(echo $ACL_INFO | jq -r '.Grants[] | select(.Grantee.URI=="http://acs.amazonaws.com/groups/global/AllUsers") | .Permission') | |
| if [ ! -z "$PUBLIC_ALL" ]; then | |
| echo "⚠️ PUBLIC TO EVERYONE: $PUBLIC_ALL" | |
| echo "URL: https://$BUCKET.s3.$REGION.amazonaws.com/" | |
| fi | |
| # Check for AuthenticatedUsers (public to any AWS user) | |
| PUBLIC_AUTH=$(echo $ACL_INFO | jq -r '.Grants[] | select(.Grantee.URI=="http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | .Permission') | |
| if [ ! -z "$PUBLIC_AUTH" ]; then | |
| echo "⚠️ PUBLIC TO AWS USERS: $PUBLIC_AUTH" | |
| fi | |
| # Check bucket policy for public access | |
| POLICY_STATUS=$(aws s3api get-bucket-policy-status --region $REGION --bucket $BUCKET 2>/dev/null) | |
| if [ $? -eq 0 ]; then | |
| IS_PUBLIC=$(echo $POLICY_STATUS | jq -r '.PolicyStatus.IsPublic') | |
| if [ "$IS_PUBLIC" == "true" ]; then | |
| echo "⚠️ BUCKET POLICY: Public access" | |
| # Get the policy details | |
| POLICY=$(aws s3api get-bucket-policy --region $REGION --bucket $BUCKET 2>/dev/null | jq -r '.Policy') | |
| echo " Principals: $(echo $POLICY | jq -r '.Statement[].Principal | tostring' | tr '\n' ' ')" | |
| fi | |
| fi | |
| # Check bucket public access block settings | |
| PUBLIC_ACCESS_BLOCK=$(aws s3api get-public-access-block --region $REGION --bucket $BUCKET 2>/dev/null) | |
| if [ $? -eq 0 ]; then | |
| BLOCK_CONFIG=$(echo $PUBLIC_ACCESS_BLOCK | jq -r '.PublicAccessBlockConfiguration | to_entries | map("\(.key): \(.value)") | join(", ")') | |
| echo "Public access blocks: $BLOCK_CONFIG" | |
| else | |
| echo "⚠️ No public access blocks" | |
| fi | |
| done | |
| echo "=======================================" | |
| echo "Scan complete!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment