Audit of AWS S3 Buckets for Public Write Access

import boto3 from botocore.exceptions import ClientError aws_access_key_id = getEnvVar('AWS_ACCESS_KEY_ID') aws_secret_access_key = getEnvVar('AWS_SECRET_ACCESS_KEY') # Initialize S3 client s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key) # Get the list of all buckets buckets = s3_client.list_buckets()['Buckets'] buckets_with_public_write_access = {} # Check each bucket's ACL for bucket in buckets: bucket_name = bucket['Name'] try: # Get bucket location location = s3_client.get_bucket_location(Bucket=bucket_name)['LocationConstraint'] if location is None: location = 'us-east-1' # Get bucket ACL acl = s3_client.get_bucket_acl(Bucket=bucket_name) for grant in acl['Grants']: grantee = grant['Grantee'] permission = grant['Permission'] if grantee.get('URI') == 'http://acs.amazonaws.com/groups/global/AllUsers' and permission == 'WRITE': if location not in buckets_with_public_write_access: buckets_with_public_write_access[location] = [] buckets_with_public_write_access[location].append(bucket_name) break except ClientError as e: print(f"Error checking bucket {bucket_name}: {e}") print("Buckets with public write access:") print(json.dumps(buckets_with_public_write_access, indent=4, default=str))