At the re:Invent event, Amazon Web Services reveiled a new tool that can help customers to avoid publishing of unsecured S3 buckets.

Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources

The tool, named Access Analyzer for S3 [1], can be enabled via a new option in the console for IAM and is able to alert users when a bucket is configured to allow public access or access to other AWS accounts.

Before you get started in the S3 Management Console, visit the IAM console to enable the AWS Identity and Access Management (IAM) Access Analyzer. When you do this, Access Analyzer for S3 will automatically be visible in the S3 Management Console. Access Analyzer for S3 is based on the IAM Access Analyzer that was launched today at re:Invent 2019.

In the S3 AWS Management Console, under Access Analyzer for S3, you will see two sets of buckets – those shared publicly and those shared with other AWS accounts, including AWS accounts external to your organization. Buckets shared publicly can be accessed by anyone on the Internet. You will also receive insights into the source of the shared access – ACL, bucket policy, or even both and the type of the shared access – Read, Write, List, permissions etc. Buckets that require your attention have an Active status. You can swiftly remediate unintended access to buckets in one of three simple ways.

Access Analyzer for S3 is available at no additional cost in the S3 Management Console in all commercial AWS Regions, excluding the AWS China Beijing and Ningxia regions.


  1. Monitor, review, and protect Amazon S3 buckets using Access Analyzer for S3