AWS S3#
Version: 1.0.1 · Category: AWS Cloud Security · Plan: Base+
A comprehensive S3 security integration covering bucket inventory, public access detection, permission policy analysis, sensitive file pattern matching, and object-level access log analysis.
Tools#
list_buckets — Bucket list#
List all S3 buckets in the account, including:
- Bucket name and creation date
- Region
- Versioning and MFA Delete status
- Whether logging is enabled and the target log bucket
check_public_access — Public access status#
Retrieve the four Public Access Block settings for a bucket:
| Setting | Description |
|---|---|
BlockPublicAcls |
Block public ACLs |
IgnorePublicAcls |
Ignore public ACLs |
BlockPublicPolicy |
Block public bucket policies |
RestrictPublicBuckets |
Restrict public buckets |
Includes public access status at the account level and whether the current bucket overrides account-level settings.
get_bucket_policy — Bucket policy analysis#
Retrieve and parse the bucket policy, highlighting high-risk statements:
Principal: *(public access)- Allowing
s3:GetObjectors3:PutObjectfrom all sources - Cross-account access from unexpected principals
check_bucket_encryption — Encryption status#
Check the bucket's server-side encryption (SSE) configuration:
- SSE-S3 (AES-256)
- SSE-KMS (customer-managed or AWS-managed key)
- Whether bucket key is enabled (reduces KMS costs)
check_bucket_versioning — Versioning status#
View versioning and MFA Delete configuration — two key controls against ransomware and accidental deletion.
list_objects — Object list#
List objects in a bucket:
| Parameter | Default | Description |
|---|---|---|
prefix |
— | Path prefix filter |
max_objects |
100 | Maximum number of objects to return |
include_metadata |
false | Include Content-Type, ETag, StorageClass |
get_object_metadata — Object metadata#
Retrieve detailed metadata for a specific object: Content-Type, ETag, size, StorageClass, encryption status, version ID, and all tags.
find_sensitive_files — Sensitive file detection#
Scan for sensitive file patterns in a bucket using filename pattern matching:
| Built-in pattern | Covers |
|---|---|
| Credentials | .env, credentials, id_rsa, *.pem, *.key |
| Configuration | config.yml, settings.json, *.conf |
| Database | *.sql, *.db, *.sqlite |
| Secrets | secret, password, token |
| Source code | *.py, *.js, *.rb, *.php |
| CI/CD | .github/, .gitlab-ci.yml, Dockerfile |
| AWS | aws-exports.js, terraform.tfstate |
| Certificates | *.crt, *.pfx, *.p12 |
analyze_access_logs — Access log analysis#
Analyze S3 access logs from a log storage bucket:
- Request type distribution (GET/PUT/DELETE)
- Top requester IPs
- Error status code distribution
- Anomalous access pattern detection
!!! note "Prerequisite" Server access logging must be enabled for the target bucket and logs must be collected in a log bucket.
Configuration#
| Item | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Access Key ID |
AWS_SECRET_ACCESS_KEY |
Secret Access Key |
AWS_DEFAULT_REGION |
Default region (e.g. us-east-1) |
AWS_SESSION_TOKEN |
Optional: temporary session token |
Investigation workflow#
1. list_buckets
→ Overview: which buckets have logging disabled or versioning off
2. check_public_access bucket_name:"<bucket name>"
→ Confirm whether all four Public Access Block settings are enabled
3. get_bucket_policy bucket_name:"<bucket name>"
→ Identify high-risk policy statements
4. find_sensitive_files bucket_name:"<bucket name>"
→ Detect sensitive files that should not be in S3
5. analyze_access_logs
log_bucket:"<log bucket>" prefix:"<target bucket>/"
→ Trace which IPs accessed what files and when