AWS TL;DR: S3 Access Analyzer
Back to AWS TL;DR Hub

S3 Access Analyzer

/tldr: Security service that uses mathematical logic to ensure S3 bucket policies do not grant unintended public or cross-account access.

IAM Access Analysis Preventative Security Trust Policy Auditing

1. Core Function: Auditing External Access

S3 Access Analyzer is based on **IAM Access Analyzer**, which uses mathematical logic (specifically, Z3 theorem prover) to determine all possible access paths to your resources. Its specific function for S3 is to identify buckets that are accessible to external entities.

How It Works

  • **Static Policy Analysis:** It continuously examines the **resource-based policies** (Bucket Policies) attached to your S3 buckets.
  • **External Entity Check:** It flags any bucket policy where the `Principal` element refers to an entity outside of your AWS account or organization.
  • **Proactive Security:** This allows you to identify and fix unintended exposure *before* a security incident occurs, ensuring compliance with standards like HIPAA and GDPR.

2. Identifying Unintended Access

When S3 Access Analyzer finds an external access path, it generates a **Finding** and classifies it based on the type of external entity that has permissions.

Finding Categories

  • **Public Access:** The policy grants access to `*` in the Principal field, effectively allowing **anyone on the Internet** to access the bucket (e.g., `"Principal": "*"`).
  • **Cross-Account Access:** Access is granted to a specific AWS account ID outside of your AWS Organization (e.g., `"Principal": {"AWS": "arn:aws:iam::111122223333:root"}`).
  • **AWS Services:** Access granted to a specific AWS service principal outside your account, such as an S3 Replication service or CloudFront OAI. (Note: These are often legitimate but are flagged for review).

3. Findings Management & Resolution

The lifecycle of an Access Analyzer finding is straightforward: the tool identifies the risk, and the user determines if the access is intended or requires remediation. 

// S3 Policy Example that triggers a 'Public Access' finding:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPublicRead",
      "Effect": "Allow",
      "Principal": "*",  // <-- This triggers the finding
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-public-bucket/*"
    }
  ]
}

Handling Findings

  • **Remediate:** If the access is unintended (e.g., a mistake in a policy), you must modify the S3 Bucket Policy to remove the external Principal.
  • **Archive:** If the access is **intended** (e.g., a public website bucket, or a legitimate cross-account backup), you mark the finding as "Archived" to clear it from your active list. This is the exception, not the rule.

Access Analyzer tells you IF and HOW your data is exposed. It's the gatekeeper for external S3 access.

AWS Fundamentals Series: S3 Access Analyzer