Bear's Log

At &yet we are always looking to make sure that our site and it's data is secure - just part of what we do. We also have on staff some very good security folks as part of ^Lift Security and they are always making sure things are tight :)

Making sure your S3 buckets are not accidentally open to the world is a tedious button-clicking process if you only use the AWS S3 Console. Heck, even if you script it using something like Python's Boto library, you get an output that is not obvious. This output from the Grant class of boto would look something like:

READ ops
WRITE ops
READ_ACP ops
WRITE_ACP ops
READ None

not exactly helpful, especially that last line - you have no idea that you have granted READ permissions to AllUsers.

So I created a super-simple script named s3scan that pulls your AWS key info from a config, runs thru the buckets and generates:

foo_bucket -- owner only
bar_bucket -- Write: AuthenticatedUsers
baz_bucket -- Read: AllUsers

wiz-bang features like command line options and all that can come later - hope it helps!