我试图列出帐户中具有某种公共访问权限的所有bucket。
问题是:我的基本原理正确吗
- 我首先检查了bucket的访问块配置:
filtered_buckets = list(filter(lambda item: not list_in_list(exceptions, item['Name']), buckets))
public_buckets = []
public_acl_indicator = ['http://acs.amazonaws.com/groups/global/AllUsers','http://acs.amazonaws.com/groups/global/AuthenticatedUsers']
permissions_to_check = ['READ', 'WRITE']
def check_bucket_access_block():
for bucket in filtered_buckets:
try:
response = s3client.get_public_access_block(Bucket=bucket['Name'])
for key, value in response['PublicAccessBlockConfiguration'].items():
logger.info('Bucket: {}, {}: {}'.format(bucket['Name'], key, value))
if not response['PublicAccessBlockConfiguration']['BlockPublicAcls'] and not response['PublicAccessBlockConfiguration']['BlockPublicPolicy'] and bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'NoSuchPublicAccessBlockConfiguration':
logger.info("Bucket: {} has no Public Access Block Configuration".format(bucket['Name']))
else:
logger.info("unexpected error: %s" % (e.response))
如果任何bucket在BlockPublicAcls和BlockPublicPolicy上都设置为False,则它是公共的。无论它们在策略和ACL上如何配置(正确吗?(。
- 然后,我继续检查bucket的策略状态:
def check_bucket_status():
try:
for bucket in filtered_buckets:
response = s3client.get_bucket_policy_status(Bucket=bucket['Name'])['PolicyStatus']['IsPublic']
logger.info('Bucket Name: {}, Public: {}'.format(bucket['Name'], response))
if response == True and bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
logger.info("unexpected error: %s" % (e.response))
如果一个bucket为isPublic返回true,那么它就是public。不管之前的函数结果如何。
- 在最后一步中,我检查存储桶ACL中的AllUser和AuthenticatedUsers权限:
def check_bucket_acl():
for bucket in filtered_buckets:
try:
response = s3client.get_bucket_acl(Bucket=bucket['Name'])
logger.info('Bucket: {}, ACL: {}'.format(bucket['Name'], response['Grants']))
for grant in response['Grants']:
for (key, value) in grant.items():
if key == 'Permission' and any(permission in value for permission in permissions_to_check):
for (grantee_key, grantee_value) in grant['Grantee'].items():
if 'URI' in grantee_key and grant['Grantee']['URI'] in public_acl_indicator:
if bucket['Name'] not in public_buckets:
public_buckets.append(bucket['Name'])
except botocore.exceptions.ClientError as e:
logger.info("unexpected error: %s" % (e.response))
当我打印完整的结果时,它会输出一些bucket。所有这些都在第一步中被捕获:
check_bucket_access_block()
logger.info('n')
check_bucket_status()
logger.info('n')
check_bucket_acl()
logger.info('n')
logger.info('Public Buckets: {}'.format(public_buckets))
另一个问题:在完成所有这些步骤后,是否有必要检查对象的ACL?如果是,为什么?
如果在BlockPublicAcls和阻止公共政策,那么它就是公共的。无论他们在策略和ACL(正确吗?(。
不,这根本不正确。这只是意味着允许bucket具有公共Policy/ACL,并不意味着bucket实际上具有公共Policy/ACL。