Check bucket policies for public read access for each S3 bucket in the region us-east-2.

import boto3 import json def check_bucket_policies(bucket_names, region_name): s3_client = boto3.client('s3', region_name=region_name, aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY')) policy_compliance_status = {} for bucket_name in bucket_names: try: # Get bucket policy policy = s3_client.get_bucket_policy(Bucket=bucket_name) policy_document = json.loads(policy['Policy']) # Check for public read access is_public = False for statement in policy_document.get('Statement', []): if statement.get('Effect') == 'Allow': principal = statement.get('Principal') if principal == '*' or principal == {'AWS': '*'}: actions = statement.get('Action') if isinstance(actions, str): actions = [actions] if 's3:GetObject' in actions or 's3:*' in actions: is_public = True break if is_public: policy_compliance_status[bucket_name] = 'NON_COMPLIANT' else: policy_compliance_status[bucket_name] = 'COMPLIANT' except s3_client.exceptions.ClientError as e: error_code = e.response['Error']['Code'] if error_code == 'NoSuchBucketPolicy': policy_compliance_status[bucket_name] = 'COMPLIANT' else: policy_compliance_status[bucket_name] = f'ERROR: {str(e)}' print(json.dumps(policy_compliance_status, indent=4, default=str)) return policy_compliance_status bucket_policy_compliance_status = check_bucket_policies(bucket_names, region_name)