Open in app

Sign in

Write

Sign in

Monitor s3 bucket Permission and restrict public access

SebinnSebastian
2 min readOct 25, 2022

--

It is good to have a mechanism that will alert AWS admin if any s3 bucket goes public. There is many ways to do that, However I am discussing a more simple method,

Steps:

  • Create SNS Topic
  • Create Subscription
  • Enable cloud Trail
  • Create IAM Role
  • Create Lamda Function
  • Configure Cloud Watch Rule

Create SNS Topic

Goto Amazon SNS service — -> Select topics — -> Create topic — -> Choose Standard

Give topic name and save.

Create Subscription

Goto Amazon SNS service — -> Select Subscriptions — -> Create Subscription

Select the Topic ARN of above created topic in step 1,

Select protocol as EMAIL,

Endpoint: give your mail, Create subscription.

You will get a confirm mail from SNS. Click on the link.

Enable Cloud Trail

Goto CloudTrail — -> Dashboard — -> Create Trail

Provide Trail Name,
Select Create New S3 bucket,
Enable log file validation,
Don’t change any other options,
Click on Next,
Choose event type as “management events”,
Review the changes and click on create trail.

Create IAM role

Goto IAM — -> Roles — -> Create role

Select Usecase as Lambda, click on Next,

Select policy,

— AWSLambdaExecute
— Amazon SNS full Access
— AmazonS3FullAccess

Click on Next,

Provide a role name and click on create role.

Create lambda function

Goto Lamda — -> FunctionsCreate — -> function

Select Author from scratch,
Give function name,
Choose runtime as python 3.9,

Permissions — -> Choose existing role — -> Chose the role we created — -> click on create function

Lambda function created successfully — -> scroll down to lambda function code and copy code from github repository,

Edit the code TopicArn=”your_role_arn”

Now save and don’t forget to click on deploy.

Configure cloud watch rule

Go to Amazon event bridge — -> Rules

Provide Rule name,
Select rule with event pattern and click on next,
Select Event source “AWS events or Event Bridge partner events”,

Scroll down to Event Pattern

Event source : AWS events
AWS service : Simple Storage Service (S3)
Event Type: Bucket Level API Call Via CloudTrail

Select specific Operations,

CreateBucket
PutBucketAcl
PutBucketPublicAccessBlock

Click on Next,

Select Target types : AWS Service
Select Target : Lamda function
Give the lambda function ARN we created in Step 5

Click on Next to Review and create Rule.

Test the rule works or not

Create a sample bucket with permission granted to public,

Expected behavior: The created bucket permission will reset to no public access and sns topic subscriptions will get a message.

Grant public access to a private s3 bucket

Expected behavior: The sns topic subscriptions will get a message.

The disadvantage of this method is, To setup this in a region you have to configure above steps in that region.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

S3 Bucket
AWS
Sns
Amazon Eventbridge
Monitoring

--

--

SebinnSebastian
SebinnSebastian

Written by SebinnSebastian

5 Followers
5 Following

DevOps Engineer | Redhat Certified System Administrator | K8s Administrator | AWS, Docker, Terraform, GCP

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams