| agent: |
Evaluation of Amazon S3 Buckets for Public Read Access Compliance
The workflow involves identifying Amazon S3 buckets that permit public read access. This is achieved by assessing the Block Public Access settings, bucket policies, and Access Control Lists (ACLs). Each bucket is then flagged as either NON_COMPLIANT or COMPLIANT based on the evaluation. The process ensures that only authorized access is allowed, enhancing the security of the stored data. This compliance check is crucial for maintaining data privacy and adhering to security best practices.
- 1SkIj3VyVFY2DrmolGMNtList all Amazon S3 buckets in the region us-east-2.
1
List all Amazon S3 buckets in the region us-east-2.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script lists all Amazon S3 buckets in the specified region.
inputsoutputsimport boto3 import json def list_s3_buckets(region_name): s3_client = boto3.client('s3', region_name=region_name, aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY')) response = s3_client.list_buckets() bucket_names = [bucket['Name'] for bucket in response['Buckets']] print(json.dumps(bucket_names, indent=4, default=str)) return bucket_names bucket_names = list_s3_buckets(region_name)copied1 - 2wZRHaLKb9bYv4xlqU240Evaluate Block Public Access settings for each S3 bucket in the region us-east-2.
2
Evaluate Block Public Access settings for each S3 bucket in the region us-east-2.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script evaluates Block Public Access settings for each S3 bucket in the specified region and flags them as NON_COMPLIANT or COMPLIANT.
inputsoutputsimport boto3 import json def evaluate_bucket_public_access(bucket_names, region_name): s3_client = boto3.client('s3', region_name=region_name, aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY')) compliance_status = {} for bucket_name in bucket_names: try: # Check Block Public Access settings block_public_access = s3_client.get_bucket_policy_status(Bucket=bucket_name) is_public = block_public_access['PolicyStatus']['IsPublic'] if is_public: compliance_status[bucket_name] = 'NON_COMPLIANT' else: compliance_status[bucket_name] = 'COMPLIANT' except s3_client.exceptions.ClientError as e: error_code = e.response['Error']['Code'] if error_code == 'NoSuchBucketPolicy': compliance_status[bucket_name] = 'COMPLIANT' else: compliance_status[bucket_name] = f'ERROR: {str(e)}' print(json.dumps(compliance_status, indent=4, default=str)) return compliance_status bucket_compliance_status = evaluate_bucket_public_access(bucket_names, region_name)copied2 - 3Bzk3XGjqzoZ2mCWTMuYoCheck bucket policies for public read access for each S3 bucket in the region us-east-2.
3
Check bucket policies for public read access for each S3 bucket in the region us-east-2.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script checks bucket policies for public read access for each S3 bucket in the specified region and flags them as NON_COMPLIANT or COMPLIANT.
inputsoutputsimport boto3 import json def check_bucket_policies(bucket_names, region_name): s3_client = boto3.client('s3', region_name=region_name, aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY')) policy_compliance_status = {} for bucket_name in bucket_names: try: # Get bucket policy policy = s3_client.get_bucket_policy(Bucket=bucket_name) policy_document = json.loads(policy['Policy']) # Check for public read access is_public = False for statement in policy_document.get('Statement', []): if statement.get('Effect') == 'Allow': principal = statement.get('Principal') if principal == '*' or principal == {'AWS': '*'}: actions = statement.get('Action') if isinstance(actions, str): actions = [actions] if 's3:GetObject' in actions or 's3:*' in actions: is_public = True break if is_public: policy_compliance_status[bucket_name] = 'NON_COMPLIANT' else: policy_compliance_status[bucket_name] = 'COMPLIANT' except s3_client.exceptions.ClientError as e: error_code = e.response['Error']['Code'] if error_code == 'NoSuchBucketPolicy': policy_compliance_status[bucket_name] = 'COMPLIANT' else: policy_compliance_status[bucket_name] = f'ERROR: {str(e)}' print(json.dumps(policy_compliance_status, indent=4, default=str)) return policy_compliance_status bucket_policy_compliance_status = check_bucket_policies(bucket_names, region_name)copied3 - 4GXUvCqpPRmseLBQVINf3Check ACLs for public read access for each S3 bucket in the region us-east-2.
4
Check ACLs for public read access for each S3 bucket in the region us-east-2.
There was a problem that the LLM was not able to address. Please rephrase your prompt and try again.This script checks ACLs for public read access for each S3 bucket in the specified region and flags them as NON_COMPLIANT or COMPLIANT.
inputsoutputsimport boto3 import json def check_bucket_acls(bucket_names, region_name): s3_client = boto3.client('s3', region_name=region_name, aws_access_key_id=getEnvVar('AWS_ACCESS_KEY_ID'), aws_secret_access_key=getEnvVar('AWS_SECRET_ACCESS_KEY')) acl_compliance_status = {} for bucket_name in bucket_names: try: # Get bucket ACL acl = s3_client.get_bucket_acl(Bucket=bucket_name) # Check for public read access is_public = False for grant in acl['Grants']: grantee = grant.get('Grantee', {}) if grantee.get('Type') == 'Group' and 'AllUsers' in grantee.get('URI', ''): if 'READ' in grant.get('Permission', ''): is_public = True break if is_public: acl_compliance_status[bucket_name] = 'NON_COMPLIANT' else: acl_compliance_status[bucket_name] = 'COMPLIANT' except s3_client.exceptions.ClientError as e: acl_compliance_status[bucket_name] = f'ERROR: {str(e)}' print(json.dumps(acl_compliance_status, indent=4, default=str)) return acl_compliance_status bucket_acl_compliance_status = check_bucket_acls(bucket_names, region_name)copied4