S3 Alerting with Access Analyzer
Start course

This course has been designed to introduce you to the different security controls and methods that have been built into Amazon S3 to protect your data and enhance your overall security posture. You will learn about resource ownership, access control policies, S3 Access Points, Access Analyzer, and how to use Cross Origin Resource Sharing (CORS).

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand resource ownership in Amazon S3
  • Use policies to control access
  • Scale access to shared buckets with S3 Access Points
  • Use Access Analyzer to monitor access to buckets
  • Learn what Cross Origin Resource Sharing (CORS) is and how to use it

Intended Audience

This course is intended for anyone who is responsible for securing, designing, and managing Amazon S3, or who simply wants to learn more about security in Amazon S3.


To get the most out of this course, you should have a basic understanding of Amazon S3. It's also recommended that you have a solid understanding of AWS IAM policy syntax and structure.


Hello and welcome to this lecture covering the Access Analyzer in Amazon S3. This closely relates to the previous lecture where we looked at public access for your buckets. The Access Analyzer is designed to alert you when any of your S3 buckets have been configured to allow either public access or buckets with access from other AWS accounts including third-party AWS accounts.

Again, this is another protection measure implemented by AWS to reduce the change of unintentional data exposure. If you have any buckets that are configured to allow this access then Access Analyzer will identify which buckets they are, what level of access has been granted and how that access is being given.

Let me jump into the console to show you an example. If I go into S3 on my account and take a look at S3 Access Analyzer I can see the results that it finds from my region and I'm currently in the EU West one region. I can quickly see that I have a bucket that is currently listed as public.

If this has been configured by mistake and you know that the bucket should not be listed as public, then you can take immediate action with a single click. Block public access to this bucket, a very useful feature. I'm sure you'll agree.

Now if I look at the bottom of the page, I can see that I do have a bucket that does have access from another account and I can check how this access is being given and here's the access is being given by an ACL. Now, the other options that could be listed here are bucket policy or access point policy and it has the permission of write, read and list. I can then select this bucket and view those permissions to see exactly what accounts is and modify the settings if this is incorrect.

As you can see it's a very useful feature that can save you from having overexposed buckets without you realizing. It's important to note that Access Analyzer updates findings every 30 minutes and you can download a report containing all the bucket information within that region and the public access or cross account access that has been configured.

This can be downloaded from the console in the Access Analyzer section by selecting download report. You can then review a CSV file of the findings. Importantly, to use Access Analyzer within your regions, you must first create an account level analyzer in IAM for each region that you want to review.

Let me show you a quick demonstration on how to create a new Access Analyzer for the London region to allow me to review buckets within EU west two. Okay, so I've just logged into the AWS management console and I'm in the London region, which is EU West two.

So I need to go to IAM to set up an Access Analyzer for this region. So if I select IAM and then go down to Access Analyzer. Now If I had an Access Analyzer enabled for this region then it would appear here but I don't so I need to create an analyzer by clicking on this button. Here it shows the region that it will be for we can customize their name if you want to.

Here we can specify if we want it to use our AWS organization or our current account, I'm just gonna leave it as the current organization, specify any texts and then once you've set any options that you want to, simply click create analyzer and that's it.

So it's a very simple item to set up and configure and now we have an Access Analyzer set up for the London region which is EU West two. We can now find any findings with regards to public access in S3 for any buckets that are in that same region.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.