Skip to content

Instantly share code, notes, and snippets.

@skwashd
Last active July 20, 2017 10:57
Show Gist options
  • Save skwashd/8bfcd7096558044dc84689ac05575fa8 to your computer and use it in GitHub Desktop.
Save skwashd/8bfcd7096558044dc84689ac05575fa8 to your computer and use it in GitHub Desktop.
Don't be the next Dow Jones

I'm not Dow Jones

This script will audit your S3 buckets and flag those with configuration that might cause you to be the next Dow Jones.

Quick Start

  • Clone this gist - git clone https://gist.github.com/8bfcd7096558044dc84689ac05575fa8.git im-not-dow-jones
  • Change into the newly created directory - im-not-dow-jones
  • Install the dependencies - pip install -r requirements.txt
  • Setup your AWS credentials - aws configure (The account will need full access to your S3 buckets)
  • Set the excute bit on the script - chmod +x im-not-dow-jones.py
  • Run the script - ./im-not-dow-jones.py > s3-audit.csv

Disclaimer

I am not associated with Dow Jones. This script is not endorsed by Dow Jones. I'm sure Dow Jones wish they had a script like this last month.

I am not responsible if you experience a data breach before, during or after running this script. Your security is your responsibility. This script it designed to assist you in finding issue, but it isn't designed to be full proof.

#! /usr/bin/env python
"""Check if you're at risk of being the next Dow Jones.
This script will identify S3 buckets with public access or public items.
Written (quickly) by Dave Hall <skwashd@gmail.com>
"""
from __future__ import print_function
import boto3
def has_public_grants(grants):
"""Check if bucket or object has any public grants.
:param grants: The grants object to check.
:type grants: dict.
:return: True if there are any public grants.
:rtype: bool.
"""
for grant in grants:
if grant['Grantee']['Type'] == 'Group' \
and grant['Grantee'].get('URI', '') == 'http://acs.amazonaws.com/groups/global/AllUsers':
return True
return False
def has_public_items(bucket):
"""Check if the bucket contains object with public access.
:param bucket: The S3 bucket to check.
:type bucket: S3.Bucket.
:return: The number of items with public grants in the bucket.
:rtype: int.
"""
i = 0
for obj in bucket.objects.all():
if has_public_grants(obj.Acl().grants):
i += 1
return i
print('Bucket,Public_Access,Public_Items')
s3 = boto3.resource('s3')
for bucket in s3.buckets.all():
public_access = has_public_grants(s3.BucketAcl(bucket.name).grants)
line = '{bucket},{public_access},{public_items}'.format(
bucket=bucket.name,
public_access=int(public_access),
public_items=has_public_items(bucket)
)
print(line)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment