AWS AmazonS3 documentation change
Summary
Restructured documentation to emphasize external access monitoring capabilities. Added details about the 'External access summary' dashboard, updated terminology from 'public access' to 'external access', and clarified requirements for multi-Region analyzer configuration.
Security assessment
The changes enhance documentation for security monitoring features (IAM Access Analyzer for S3) but do not address a specific disclosed vulnerability. Updates focus on improving visibility into public/cross-account access and configuration guidance for access control - core security capabilities rather than patching a weakness.
Diff
diff --git a/AmazonS3/latest/userguide/access-analyzer.md b/AmazonS3/latest/userguide/access-analyzer.md index 6f66b4b92..ed4794a7d 100644 --- a//AmazonS3/latest/userguide/access-analyzer.md +++ b//AmazonS3/latest/userguide/access-analyzer.md @@ -5 +5 @@ -What information does IAM Access Analyzer for S3 provide?Enabling IAM Access Analyzer for S3Blocking all public accessReviewing and changing bucket accessArchiving bucket findingsActivating an archived bucket findingViewing finding detailsDownloading an IAM Access Analyzer for S3 report +Reviewing external access with external access summaryInformation provided by IAM Access Analyzer for S3Blocking all public accessReviewing and changing bucket accessArchiving bucket findingsActivating an archived bucket findingViewing finding detailsDownloading an IAM Access Analyzer for S3 report @@ -9 +9 @@ What information does IAM Access Analyzer for S3 provide?Enabling IAM Access Ana -IAM Access Analyzer for S3 alerts you to S3 buckets that are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. For each public or shared bucket, you receive findings into the source and level of public or shared access. For example, IAM Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. With these findings, you can take immediate and precise corrective action to restore your bucket access to what you intended. +IAM Access Analyzer for S3 provides external access findings for your S3 general purpose buckets that are configured to allow access to anyone on the internet (public) or other AWS accounts, including AWS accounts outside of your organization. For each bucket that's shared publicly or with other AWS accounts, you receive findings into the source and level of shared access. For example, IAM Access Analyzer for S3 might show that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. With these findings, you can take immediate and precise corrective action to restore your bucket access to what you intended. @@ -11 +11,3 @@ IAM Access Analyzer for S3 alerts you to S3 buckets that are configured to allow -When reviewing an at-risk bucket in IAM Access Analyzer for S3, you can block all public access to the bucket with a single click. We recommend that you block all access to your buckets unless you require public access to support a specific use case. Before you block all public access, ensure that your applications will continue to work correctly without public access. For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). +The Amazon S3 console presents an **External access summary** in the S3 console next to your list of general purpose buckets. In the summary, you can click on the active findings for each AWS Region to see the details of the finding in the IAM Access Analyzer for S3 page. External acces findings in **External access summary** are automatically updated once every 24 hours. + +When reviewing a bucket that allows public access, on the IAM Access Analyzer for S3 page, you can block all public access to the bucket with a single click. We recommend that you block all public access to your buckets unless you require public access to support a specific use case. Before you block all public access, ensure that your applications will continue to work correctly without public access. For more information, see [Blocking public access to your Amazon S3 storage](./access-control-block-public-access.html). @@ -15 +17 @@ You can also drill down into bucket-level permission settings to configure granu -IAM Access Analyzer for S3 is available at no extra cost on the Amazon S3 console. IAM Access Analyzer for S3 is powered by AWS Identity and Access Management (IAM) IAM Access Analyzer. To use IAM Access Analyzer for S3 in the Amazon S3 console, you must visit the IAM console and enable IAM Access Analyzer on a per-Region basis. +IAM Access Analyzer for S3 is available at no extra cost on the Amazon S3 console. IAM Access Analyzer for S3 is powered by AWS Identity and Access Management (IAM) IAM Access Analyzer. To use IAM Access Analyzer for S3 in the Amazon S3 console, you must visit the IAM console and create an external access analyzer on a per-Region basis. @@ -21 +23 @@ For more information about IAM Access Analyzer, see [What is IAM Access Analyzer - * IAM Access Analyzer for S3 requires an account-level analyzer. To use IAM Access Analyzer for S3, you must visit IAM Access Analyzer and create an analyzer that has an account as the zone of trust. For more information, see [Enabling IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in _IAM User Guide_. + * IAM Access Analyzer for S3 requires an account-level analyzer in each AWS Region where you have buckets. To use IAM Access Analyzer for S3, you must visit IAM Access Analyzer and create an analyzer that has an account as the zone of trust. For more information, see [Enabling IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in _IAM User Guide_. @@ -32 +34 @@ For more information about IAM Access Analyzer, see [What is IAM Access Analyzer - * What information does IAM Access Analyzer for S3 provide? + * Reviewing a global summary of policies that grant external access to buckets @@ -34 +36 @@ For more information about IAM Access Analyzer, see [What is IAM Access Analyzer - * Enabling IAM Access Analyzer for S3 + * Information provided by IAM Access Analyzer for S3 @@ -51 +53,39 @@ For more information about IAM Access Analyzer, see [What is IAM Access Analyzer -## What information does IAM Access Analyzer for S3 provide? +## Reviewing a global summary of policies that grant external access to buckets + +You can use the **External access summary** to view a global summary of policies that grant external access to buckets across your AWS account directly from the S3 console. This summary helps you identify Amazon S3 general purpose buckets in any AWS Region that allow public access or access from other AWS accounts without needing to inspect policies in each AWS Region individually. + +### Enabling external access summary and IAM Access Analyzer for S3 + +To use the **External access summary** and IAM Access Analyzer for S3, you must complete the following prerequisite steps. + + 1. Grant the required permissions. For more information, see [Permissions Required to use IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-permissions) in the _IAM User Guide_. + + 2. Visit IAM to create an account-level analyzer for each Region where you want to use IAM Access Analyzer. + +You can do this by creating an analyzer that has an account as the zone of trust in the IAM console or by using the AWS CLI or AWS SDKs. For more information, see [Enabling IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in _IAM User Guide_. + + + + +### Viewing buckets that allow external access + +The **External access summary** displays findings and errors for external access that are provided by IAM Access Analyzer for S3 for general purpose buckets. Archived findings and findings for unused access are not included in the summary but can be viewed in the IAM console or IAM Access Analyzer for S3. For more information, see [View the IAM Access Analyzer findings dashboard](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html) in the IAM User Guide. + +###### Note + +The **External access summary** only includes findings for external access analyzers for each of your AWS accounts, not your AWS Organization. + + 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). + + 2. In the left navigation panel, choose **General purpose buckets**. + + 3. Expand the **External access summary**. The console displays active public and cross-account access findings. + +###### Note + +If S3 experiences an issue loading bucket details, refresh the general purpose buckets list or view findings in IAM Access Analyzer for S3. For more information, see [Reviewing bucket access using IAM Access Analyzer for S3](./access-analyzer.html). + + 4. To view a list of findings or errors for an AWS Region, choose the link to the Region. The IAM Access Analyzer for S3 page displays names of buckets that can be accessed publicly or by other AWS accounts. For more information, see Information provided by IAM Access Analyzer for S3. + + + @@ -53 +93,26 @@ For more information about IAM Access Analyzer, see [What is IAM Access Analyzer -IAM Access Analyzer for S3 provides findings for buckets that can be accessed outside your AWS account. Buckets that are listed under **Buckets with public access** can be accessed by anyone on the internet. If IAM Access Analyzer for S3 identifies public buckets, you also see a warning at the top of the page that shows you the number of public buckets in your Region. Buckets listed under **Buckets with access from other AWS accounts — including third-party AWS accounts** are shared conditionally with other AWS accounts, including accounts outside of your organization. +### Updating access controls for buckets that allow external access + + 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). + + 2. In the left navigation panel, choose **General purpose buckets**. + + 3. Expand the **External access summary**. The console displays active findings for buckets that can be accessed publicly or by other AWS accounts. + +###### Note + +If S3 experiences an issue loading bucket details, refresh the general purpose buckets list or view findings in IAM Access Analyzer for S3. For more information, see [Reviewing bucket access using IAM Access Analyzer for S3](./access-analyzer.html). + + 4. To view a list of findings or errors for an AWS Region, choose the link to the Region. The IAM Access Analyzer for S3 displays active findings for buckets that can be accessed publicly or by other AWS accounts. + +###### Note + +External acces findings in **External access summary** are automatically updated once every 24 hours. + + 5. To block all public access for a bucket, see Blocking all public access. To change the bucket access, see Reviewing and changing bucket access. + + + + +## Information provided by IAM Access Analyzer for S3 + +IAM Access Analyzer for S3 provides findings for buckets that can be accessed outside your AWS account. Buckets that are listed under **Public access findings** can be accessed by anyone on the internet. If IAM Access Analyzer for S3 identifies public buckets, you also see a warning at the top of the page that shows you the number of public buckets in your Region. Buckets listed under **Cross-account access findings** are shared conditionally with other AWS accounts, including accounts outside of your organization. @@ -59,2 +123,0 @@ For each bucket, IAM Access Analyzer for S3 provides the following information: - * **Discovered by Access analyzer** ‐ When IAM Access Analyzer for S3 discovered the public or shared bucket access. - @@ -82,0 +146 @@ For each bucket, IAM Access Analyzer for S3 provides the following information: + * **External principal** ‐ The AWS account outside of your organization with access to the bucket. @@ -84,13 +148 @@ For each bucket, IAM Access Analyzer for S3 provides the following information: - - -## Enabling IAM Access Analyzer for S3 - -To use IAM Access Analyzer for S3, you must complete the following prerequisite steps. - - 1. Grant the required permissions. - -For more information, see [Permissions Required to use IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-permissions) in the _IAM User Guide_. - - 2. Visit IAM to create an account-level analyzer for each Region where you want to use IAM Access Analyzer. - -IAM Access Analyzer for S3 requires an account-level analyzer. To use IAM Access Analyzer for S3, you must create an analyzer that has an account as the zone of trust. For more information, see [Enabling IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-enabling) in _IAM User Guide_. + * **Resources control policy (RCP) restriction** ‐ The resource control policy (RCP) that applies to the bucket, if applicable. For more information, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html). @@ -172 +224 @@ For more information, see [Permissions](./MultiRegionAccessPointPermissions.html - 1. Choose **access points**. + 1. Choose **Access Points for general purpose buckets** or **Access Points for directory buckets**. @@ -193 +245 @@ If a bucket grants access to the public or other AWS accounts, including account - 2. In the navigation pane, choose **Access analyzer for S3**. + 2. In the navigation pane, choose **IAM Access Analyzer for S3**. @@ -223 +275 @@ After you archive findings, you can always revisit them and change their status -If you need to see more information about a bucket, you can open the bucket finding details in IAM Access Analyzer on the [IAM Console](https://console.aws.amazon.com/iam/). +If you need to see more information about a finding, you can open the bucket finding details in IAM Access Analyzer on the [IAM Console](https://console.aws.amazon.com/iam/).