【发布时间】:2022-02-08 01:53:26
【问题描述】:
我正在尝试列出帐户中具有某种公共访问权限的所有存储桶。
问题是:我的理由正确吗?
- 我首先检查了存储桶的访问块配置:
filtered_buckets = list(filter(lambda item: not list_in_list(exceptions, item['Name']), buckets))
public_buckets = []
public_acl_indicator = ['http://acs.amazonaws.com/groups/global/AllUsers','http://acs.amazonaws.com/groups/global/AuthenticatedUsers']
permissions_to_check = ['READ', 'WRITE']
def check_bucket_access_block():
for bucket in filtered_buckets:
try:
response = s3client.get_public_access_block(Bucket=bucket['Name'])
for key, value in response['PublicAccessBlockConfiguration'].items():
logger.info('Bucket: {}, {}: {}'.format(bucket['Name'], key, value))
if not response['PublicAccessBlockConfiguration']['BlockPublicAcls'] and not response['PublicAccessBlockConfiguration']['BlockPublicPolicy'] and bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'NoSuchPublicAccessBlockConfiguration':
logger.info("Bucket: {} has no Public Access Block Configuration".format(bucket['Name']))
else:
logger.info("unexpected error: %s" % (e.response))
如果任何存储桶在 BlockPublicAcls 和 BlockPublicPolicy 上都设置为 False,则它是公开的。无论他们如何配置策略和 ACL(正确?)。
- 然后,我继续检查存储桶的策略状态:
def check_bucket_status():
try:
for bucket in filtered_buckets:
response = s3client.get_bucket_policy_status(Bucket=bucket['Name'])['PolicyStatus']['IsPublic']
logger.info('Bucket Name: {}, Public: {}'.format(bucket['Name'], response))
if response == True and bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
logger.info("unexpected error: %s" % (e.response))
如果存储桶为 isPublic 返回 true,则它是公共的。不管之前的函数结果如何。
- 在最后一步中,我检查存储桶 ACL 的 AllUser 和 AuthenticadedUsers 权限:
def check_bucket_acl():
for bucket in filtered_buckets:
try:
response = s3client.get_bucket_acl(Bucket=bucket['Name'])
logger.info('Bucket: {}, ACL: {}'.format(bucket['Name'], response['Grants']))
for grant in response['Grants']:
for (key, value) in grant.items():
if key == 'Permission' and any(permission in value for permission in permissions_to_check):
for (grantee_key, grantee_value) in grant['Grantee'].items():
if 'URI' in grantee_key and grant['Grantee']['URI'] in public_acl_indicator:
if bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
logger.info("unexpected error: %s" % (e.response))
当我打印完整的结果时,它会输出一些桶。他们都在第一步中被抓住了:
check_bucket_access_block()
logger.info('\n')
check_bucket_status()
logger.info('\n')
check_bucket_acl()
logger.info('\n')
logger.info('Public Buckets: {}'.format(public_buckets))
另一个问题:在完成所有这些步骤之后,检查对象的 ACL 是否有必要?如果是,为什么?
【问题讨论】:
-
这不是问题的直接答案,但您可以启用 AWS Macie,该服务也可以列出公共存储桶。
标签: python amazon-web-services amazon-s3 boto3 cloud-security