#AWS SDK #JavaScript #S3 Buckets #Access Control List

AWS S3 Bucket List and Access Categorization with JavaScript

This guide provides an AWS SDK JavaScript code snippet that lists all S3 buckets in an AWS account and categorizes them based on their public/private access settings.

Code

const AWS = require('aws-sdk');
const s3 = new AWS.S3();

s3.listBuckets().promise().then(data =>
  Promise.all(
    data.Buckets.map(bucket =>
      s3.getBucketAcl({ Bucket: bucket.Name }).promise().then(acl =>
        acl.Grants.some(
          grant =>
            grant.Grantee.Type === 'Group' &&
            (grant.Grantee.URI === 'http://acs.amazonaws.com/groups/global/AllUsers' ||
              grant.Grantee.URI === 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')
        )
          ? { name: bucket.Name, type: 'public' }
          : { name: bucket.Name, type: 'private' }
      )
    )
  )
).then(results =>
  results.reduce(
    (acc, bucket) => {
      acc[bucket.type].push(bucket.name);
      return acc;
    },
    { public: [], private: [] }
  )
).then(console.log).catch(console.error);

Detailed Code Explanation

We start by initializing AWS SDK and creating an instance of the AWS S3 service. Ensure the system you're running this code on has pre-configured AWS credentials.

The listBuckets method retrieves a list of all buckets within your AWS account. For each bucket in the list, we call the getBucketAcl method. This gets the Access Control List (ACL) for a bucket.

We then check the 'Grantee' of each ACL to determine whether the bucket is accessible by either 'All Users' or 'Authenticated Users'. If it is, the script categorizes the bucket as public.

In the final step, the script creates a JSON object containing two lists: public and private. Each list contains the names of the buckets in the corresponding category.

Expected Output Format

The output will be in JSON format like:

{
  "public": ["publicBucket1", "publicBucket2"],
  "private": ["privateBucket1", "privateBucket2"]
}

Each array contains the names of all public and private buckets respectively.

Considerations & Caveats

Keep in mind that the code depends on the ACL settings to categorize a bucket as private or public. However, ACL is just one of the bucket policies that could control its access. For more accurate results, you might want to consider other policies such as Bucket Policy and IAM Policy as well.

Required IAM Permissions and Example Policy

The IAM User executing this code must have the s3:ListAllMyBuckets and s3:GetBucketAcl permissions. Below is an example policy granting these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionsForS3ListAndGetAcl",
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets", "s3:GetBucketAcl"],
      "Resource": "*"
    }
  ]
}

FAQ

Q: I receive an error 'Access Denied', what should I do?

A: Ensure your AWS credentials are correctly set up and the IAM user has sufficient permissions to list buckets and get their ACL.

Q: I ran into CredentialsError: Missing credentials in config, what does that mean?

A: This code uses the AWS SDK, which might be looking for AWS credentials in multiple places (.aws configuration directory, environment variables, etc). Make sure your credentials are correctly set in one of these places.

Q: Can I modify this to include buckets with other policies?

A: Yes. For precise access evaluation, you would have to consider other bucket policies like Bucket Policy and IAM Policy in addition to ACL.

Q: Can this code work for other programming languages?

A: The concept certainly can, but this specific code is written in JavaScript using AWS SDK. For other languages, you would use the corresponding AWS SDK. The logic stays the same, although the syntax and specific method calls might differ.