1. Home
  2. Training Library
  3. Storage (SAP-C02)

S3 Alerting with Access Analyzer


Course Introduction
AWS Storage
Introduction to Amazon EFS
Amazon EC2
Amazon Elastic Block Store (EBS)
Optimizing Storage
AWS Backup
AWS Storage Gateway
Performance Factors Across AWS Storage Services

The course is part of this learning path

Start course
4h 13m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core storage concepts and services relevant to the SAP-C02 exam. We start with an introduction to AWS storage services, understand the options available, and learn how to select and apply AWS storage services to meet specific requirements. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Obtain an in-depth understanding of Amazon S3 - Simple Storage Service
  • Learn how to improve your security posture in S3
  • Get both a theoretical and practical understanding of EFS
  • Learn how to create an EFS file system, manage EFS security, and import data in EFS
  • Learn about EC2 storage and Elastic Block Store
  • Learn about the different performance factors associated with AWS storage services

Hello and welcome to this lecture covering the Access Analyzer in Amazon S3. This closely relates to the previous lecture where we looked at public access for your buckets. The Access Analyzer is designed to alert you when any of your S3 buckets have been configured to allow either public access or buckets with access from other AWS accounts including third-party AWS accounts.

Again, this is another protection measure implemented by AWS to reduce the change of unintentional data exposure. If you have any buckets that are configured to allow this access then Access Analyzer will identify which buckets they are, what level of access has been granted and how that access is being given.

Let me jump into the console to show you an example. If I go into S3 on my account and take a look at S3 Access Analyzer I can see the results that it finds from my region and I'm currently in the EU West one region. I can quickly see that I have a bucket that is currently listed as public.

If this has been configured by mistake and you know that the bucket should not be listed as public, then you can take immediate action with a single click. Block public access to this bucket, a very useful feature. I'm sure you'll agree.

Now if I look at the bottom of the page, I can see that I do have a bucket that does have access from another account and I can check how this access is being given and here's the access is being given by an ACL. Now, the other options that could be listed here are bucket policy or access point policy and it has the permission of write, read and list. I can then select this bucket and view those permissions to see exactly what accounts is and modify the settings if this is incorrect.

As you can see it's a very useful feature that can save you from having overexposed buckets without you realizing. It's important to note that Access Analyzer updates findings every 30 minutes and you can download a report containing all the bucket information within that region and the public access or cross account access that has been configured.

This can be downloaded from the console in the Access Analyzer section by selecting download report. You can then review a CSV file of the findings. Importantly, to use Access Analyzer within your regions, you must first create an account level analyzer in IAM for each region that you want to review.

Let me show you a quick demonstration on how to create a new Access Analyzer for the London region to allow me to review buckets within EU west two. Okay, so I've just logged into the AWS management console and I'm in the London region, which is EU West two.

So I need to go to IAM to set up an Access Analyzer for this region. So if I select IAM and then go down to Access Analyzer. Now If I had an Access Analyzer enabled for this region then it would appear here but I don't so I need to create an analyzer by clicking on this button. Here it shows the region that it will be for we can customize their name if you want to.

Here we can specify if we want it to use our AWS organization or our current account, I'm just gonna leave it as the current organization, specify any texts and then once you've set any options that you want to, simply click create analyzer and that's it.

So it's a very simple item to set up and configure and now we have an Access Analyzer set up for the London region which is EU West two. We can now find any findings with regards to public access in S3 for any buckets that are in that same region.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.