1

I'm trying to list all the buckets with some kind of public access in an account.

The question is: is my rationale correct?

  1. I first checked buckets' access block configuration:
filtered_buckets = list(filter(lambda item: not list_in_list(exceptions, item['Name']), buckets))
public_buckets = []
public_acl_indicator = ['http://acs.amazonaws.com/groups/global/AllUsers','http://acs.amazonaws.com/groups/global/AuthenticatedUsers']
permissions_to_check = ['READ', 'WRITE']

def check_bucket_access_block():
    for bucket in filtered_buckets:
        try:
            response = s3client.get_public_access_block(Bucket=bucket['Name'])
            for key, value in response['PublicAccessBlockConfiguration'].items():
                logger.info('Bucket: {}, {}: {}'.format(bucket['Name'], key, value))
                if not response['PublicAccessBlockConfiguration']['BlockPublicAcls'] and not response['PublicAccessBlockConfiguration']['BlockPublicPolicy'] and bucket['Name'] not in public_buckets:
                    public_buckets.append(bucket['Name'])
        except botocore.exceptions.ClientError as e:
            if e.response['Error']['Code'] == 'NoSuchPublicAccessBlockConfiguration':
                logger.info("Bucket: {} has no Public Access Block Configuration".format(bucket['Name']))
            else:
                logger.info("unexpected error: %s" % (e.response))

If any bucket is set to False on both BlockPublicAcls and BlockPublicPolicy, then it IS public. No matter how they configured on Policies and ACLs(correct?).

  1. Then, I proceed to check the buckets' policy status:
 def check_bucket_status():
    try:
        for bucket in filtered_buckets:
            response = s3client.get_bucket_policy_status(Bucket=bucket['Name'])['PolicyStatus']['IsPublic']
            logger.info('Bucket Name: {}, Public: {}'.format(bucket['Name'], response))
            if response == True and bucket['Name'] not in public_buckets:
                public_buckets.append(bucket['Name'])
    except botocore.exceptions.ClientError as e:
        logger.info("unexpected error: %s" % (e.response))

If a bucket returns true for isPublic, then it IS public. No matter the previous function result.

  1. In the last step, I check the buckets ACLs for AllUser and AuthenticadedUsers permissions:
def check_bucket_acl():
    for bucket in filtered_buckets:
        try:
            response = s3client.get_bucket_acl(Bucket=bucket['Name'])
            logger.info('Bucket: {}, ACL: {}'.format(bucket['Name'], response['Grants']))
            for grant in response['Grants']:
                for (key, value) in grant.items():
                    if key == 'Permission' and any(permission in value for permission in permissions_to_check):
                        for (grantee_key, grantee_value) in grant['Grantee'].items():
                            if 'URI' in grantee_key and grant['Grantee']['URI'] in public_acl_indicator:
                                if bucket['Name'] not in public_buckets:
                                    public_buckets.append(bucket['Name'])
        except botocore.exceptions.ClientError as e:
            logger.info("unexpected error: %s" % (e.response))

When I print the full result, it outputs some buckets. All of them were caught in the first step:

check_bucket_access_block()
logger.info('\n')
check_bucket_status()
logger.info('\n')
check_bucket_acl()
logger.info('\n')
logger.info('Public Buckets: {}'.format(public_buckets))

Another question: Is it necessary to check the Objects' ACLs after going through all these steps? If yes, why?

4

1 回答 1

1

如果任何存储桶在 BlockPublicAcls 和 BlockPublicPolicy 上都设置为 False,则它是公开的。无论他们如何配置策略和 ACL(正确?)。

不,这根本不正确。这只是意味着允许存储桶具有公共策略/ACL,并不意味着存储桶实际上具有公共策略/ACL。

于 2022-02-07T17:53:26.097 回答