S3 Alerting with Access Analyzer
Start course
2h 34m

This section of the SysOps Administrator - Associate learning path introduces you to the core storage concepts and services relevant to the SOA-C02 exam. We start with an introduction to the AWS storage services, understand the options available, and learn how to select and apply AWS storage services to meet specific requirements. 

Learning Objectives

  • Obtain an in-depth understanding of Amazon S3 management and security features
  • Get both a theoretical and practical understanding of EFS
  • Learn how to create an EFS file system, manage EFS security, and import data in EFS
  • Learn about EC2 storage and Elastic Block Store

Hello and welcome to this lecture covering the Access Analyzer in Amazon S3. This closely relates to the previous lecture where we looked at public access for your buckets. The Access Analyzer is designed to alert you when any of your S3 buckets have been configured to allow either public access or buckets with access from other AWS accounts including third-party AWS accounts.

Again, this is another protection measure implemented by AWS to reduce the change of unintentional data exposure. If you have any buckets that are configured to allow this access then Access Analyzer will identify which buckets they are, what level of access has been granted and how that access is being given.

Let me jump into the console to show you an example. If I go into S3 on my account and take a look at S3 Access Analyzer I can see the results that it finds from my region and I'm currently in the EU West one region. I can quickly see that I have a bucket that is currently listed as public.

If this has been configured by mistake and you know that the bucket should not be listed as public, then you can take immediate action with a single click. Block public access to this bucket, a very useful feature. I'm sure you'll agree.

Now if I look at the bottom of the page, I can see that I do have a bucket that does have access from another account and I can check how this access is being given and here's the access is being given by an ACL. Now, the other options that could be listed here are bucket policy or access point policy and it has the permission of write, read and list. I can then select this bucket and view those permissions to see exactly what accounts is and modify the settings if this is incorrect.

As you can see it's a very useful feature that can save you from having overexposed buckets without you realizing. It's important to note that Access Analyzer updates findings every 30 minutes and you can download a report containing all the bucket information within that region and the public access or cross account access that has been configured.

This can be downloaded from the console in the Access Analyzer section by selecting download report. You can then review a CSV file of the findings. Importantly, to use Access Analyzer within your regions, you must first create an account level analyzer in IAM for each region that you want to review.

Let me show you a quick demonstration on how to create a new Access Analyzer for the London region to allow me to review buckets within EU west two. Okay, so I've just logged into the AWS management console and I'm in the London region, which is EU West two.

So I need to go to IAM to set up an Access Analyzer for this region. So if I select IAM and then go down to Access Analyzer. Now If I had an Access Analyzer enabled for this region then it would appear here but I don't so I need to create an analyzer by clicking on this button. Here it shows the region that it will be for we can customize their name if you want to.

Here we can specify if we want it to use our AWS organization or our current account, I'm just gonna leave it as the current organization, specify any texts and then once you've set any options that you want to, simply click create analyzer and that's it.

So it's a very simple item to set up and configure and now we have an Access Analyzer set up for the London region which is EU West two. We can now find any findings with regards to public access in S3 for any buckets that are in that same region.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.