Hello and welcome to this lecture covering the Access Analyzer in Amazon S3. This closely relates to the previous lecture where we looked at public access for your buckets. The Access Analyzer is designed to alert you when any of your S3 buckets have been configured to allow either public access or buckets with access from other AWS accounts including third-party AWS accounts.

Again, this is another protection measure implemented by AWS to reduce the change of unintentional data exposure. If you have any buckets that are configured to allow this access then Access Analyzer will identify which buckets they are, what level of access has been granted and how that access is being given.

Let me jump into the console to show you an example. If I go into S3 on my account and take a look at S3 Access Analyzer I can see the results that it finds from my region and I'm currently in the EU West one region. I can quickly see that I have a bucket that is currently listed as public.

If this has been configured by mistake and you know that the bucket should not be listed as public, then you can take immediate action with a single click. Block public access to this bucket, a very useful feature. I'm sure you'll agree.

Now if I look at the bottom of the page, I can see that I do have a bucket that does have access from another account and I can check how this access is being given and here's the access is being given by an ACL. Now, the other options that could be listed here are bucket policy or access point policy and it has the permission of write, read and list. I can then select this bucket and view those permissions to see exactly what accounts is and modify the settings if this is incorrect.

As you can see it's a very useful feature that can save you from having overexposed buckets without you realizing. It's important to note that Access Analyzer updates findings every 30 minutes and you can download a report containing all the bucket information within that region and the public access or cross account access that has been configured.

This can be downloaded from the console in the Access Analyzer section by selecting download report. You can then review a CSV file of the findings. Importantly, to use Access Analyzer within your regions, you must first create an account level analyzer in IAM for each region that you want to review.

Let me show you a quick demonstration on how to create a new Access Analyzer for the London region to allow me to review buckets within EU west two. Okay, so I've just logged into the AWS management console and I'm in the London region, which is EU West two.

So I need to go to IAM to set up an Access Analyzer for this region. So if I select IAM and then go down to Access Analyzer. Now If I had an Access Analyzer enabled for this region then it would appear here but I don't so I need to create an analyzer by clicking on this button. Here it shows the region that it will be for we can customize their name if you want to.

Here we can specify if we want it to use our AWS organization or our current account, I'm just gonna leave it as the current organization, specify any texts and then once you've set any options that you want to, simply click create analyzer and that's it.

So it's a very simple item to set up and configure and now we have an Access Analyzer set up for the London region which is EU West two. We can now find any findings with regards to public access in S3 for any buckets that are in that same region.