Table: aws_s3_bucket - Query AWS S3 Buckets using SQL
An AWS S3 Bucket is a public cloud storage resource available in Amazon Web Services' (AWS) Simple Storage Service (S3). It is used to store objects, which consist of data and its descriptive metadata. S3 makes it possible to store and retrieve varying amounts of data, at any time, from anywhere on the web.
Table Usage Guide
The aws_s3_bucket
table in Steampipe provides you with information about S3 buckets within Amazon Simple Storage Service (S3). This table allows you, as a DevOps engineer, to query bucket-specific details, including configuration, policies, and permissions. You can utilize this table to gather insights on buckets, such as bucket policies, access controls, versioning status, and more. The schema outlines for you the various attributes of the S3 bucket, including the bucket name, creation date, region, and associated tags.
Examples
Basic info
Explore which AWS S3 buckets are set as public in different regions to enhance your data security by identifying potential vulnerabilities. This allows you to manage your AWS resources more effectively by pinpointing specific locations where public access may be a concern.
select name, region, account_id, bucket_policy_is_publicfrom aws_s3_bucket;
select name, region, account_id, bucket_policy_is_publicfrom aws_s3_bucket;
List buckets with versioning disabled
Discover the segments that have versioning disabled in your Amazon S3 buckets. This could be useful in identifying potential risks or compliance issues related to data version control.
select name, region, account_id, versioning_enabledfrom aws_s3_bucketwhere not versioning_enabled;
select name, region, account_id, versioning_enabledfrom aws_s3_bucketwhere versioning_enabled is not 1;
List buckets with default encryption disabled
Uncover the details of S3 buckets that lack default encryption, a potential security risk, to enhance data protection measures in your AWS environment.
select name, server_side_encryption_configurationfrom aws_s3_bucketwhere server_side_encryption_configuration is null;
select name, server_side_encryption_configurationfrom aws_s3_bucketwhere server_side_encryption_configuration is null;
List buckets that do not block public access
Identify instances where AWS S3 buckets may be vulnerable due to not blocking public access. This query is useful for assessing potential security risks associated with unrestricted public access to your data.
select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_bucketwhere not block_public_acls or not block_public_policy or not ignore_public_acls or not restrict_public_buckets;
select name, block_public_acls, block_public_policy, ignore_public_acls, restrict_public_bucketsfrom aws_s3_bucketwhere block_public_acls = 0 or block_public_policy = 0 or ignore_public_acls = 0 or restrict_public_buckets = 0;
List buckets that block public access through bucket policies
Identify instances where certain storage buckets have implemented measures to block public access, enhancing data security and privacy. This could be useful in ensuring compliance with privacy regulations and preventing unauthorized data access.
select name, bucket_policy_is_publicfrom aws_s3_bucketwhere bucket_policy_is_public;
select name, bucket_policy_is_publicfrom aws_s3_bucketwhere bucket_policy_is_public = 1;
List buckets where the server access logging destination is the same as the source bucket
Identify instances where the destination for server access logging is the same as the source bucket in AWS S3. This can help in understanding potential security risks or misconfigurations in your logging setup.
select name, logging ->> 'TargetBucket' as target_bucketfrom aws_s3_bucketwhere logging ->> 'TargetBucket' = name;
select name, json_extract(logging, '$.TargetBucket') as target_bucketfrom aws_s3_bucketwhere json_extract(logging, '$.TargetBucket') = name;
List buckets without the 'application' tags key
Discover the buckets that have not been tagged specifically for application purposes. This is particularly useful for managing and organizing your buckets based on their intended application usage.
select name, tags ->> 'fizz' as fizzfrom aws_s3_bucketwhere tags ->> 'application' is null;
select name, json_extract(tags, '$.fizz') as fizzfrom aws_s3_bucketwhere json_extract(tags, '$.application') is null;
List buckets that enforce encryption in transit
Determine the areas in which AWS S3 buckets have encryption in transit enforced. This query is useful in identifying potential security vulnerabilities, as buckets without this feature may be at risk of data interception during transfer.
select name, p as principal, a as action, s ->> 'Effect' as effect, s ->> 'Condition' as conditions, sslfrom aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as sslwhere p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false;
select name, json_extract(p.value, '$') as principal, json_extract(a.value, '$') as action, json_extract(s.value, '$.Effect') as effect, json_extract(s.value, '$.Condition') as conditions, json_extract(ssl.value, '$') as sslfrom aws_s3_bucket, json_each(json_extract(policy_std, '$.Statement')) as s, json_each(json_extract(s.value, '$.Principal.AWS')) as p, json_each(json_extract(s.value, '$.Action')) as a, json_each( json_extract(s.value, '$.Condition.Bool."aws:securetransport"') ) as sslwhere json_extract(p.value, '$') = '*' and json_extract(s.value, '$.Effect') = 'Deny' and json_extract(ssl.value, '$') = 'false';
List buckets that do not enforce encryption in transit
Determine the areas in your AWS S3 service where encryption in transit is not enforced. This is useful for identifying potential security risks and ensuring that your data is always protected during transmission.
select namefrom aws_s3_bucketwhere name not in ( select name from aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false );
select namefrom aws_s3_bucketwhere name not in ( select aws_s3_bucket.name from aws_s3_bucket, json_each(json_extract(policy_std, '$.Statement')) as s, json_each(json_extract(s.value, '$.Principal.AWS')) as p, json_each(json_extract(s.value, '$.Action')) as a, json_each( json_extract(s.value, '$.Condition.Bool."aws:securetransport"') ) as ssl where json_extract(p.value, '$') = '*' and json_extract(s.value, '$.Effect') = 'Deny' and json_extract(ssl.value, '$') = 'false' );
List bucket policy statements that grant external access for each bucket
Determine the areas in which your S3 bucket policies may be granting external access. This is useful for identifying potential security risks and ensuring only authorized access to your buckets.
select title, p as principal, a as action, s ->> 'Effect' as effect, s -> 'Condition' as conditionsfrom aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, string_to_array(p, ':') as pa, jsonb_array_elements_text(s -> 'Action') as awhere s ->> 'Effect' = 'Allow' and ( pa [ 5 ] != account_id or p = '*' );
Error: SQLite does not support string_to_array functions.
List buckets with object lock enabled
Determine the areas in which AWS S3 buckets have the object lock feature enabled. This is useful for understanding where additional data protection measures are in place.
select name, object_lock_configuration ->> 'ObjectLockEnabled' as object_lock_enabledfrom aws_s3_bucketwhere object_lock_configuration ->> 'ObjectLockEnabled' = 'Enabled';
select name, json_extract(object_lock_configuration, '$.ObjectLockEnabled') as object_lock_enabledfrom aws_s3_bucketwhere json_extract(object_lock_configuration, '$.ObjectLockEnabled') = 'Enabled';
List buckets with website hosting enabled
Discover the segments that have website hosting enabled within your AWS S3 buckets. This can be useful in identifying where your web content is stored or determining which buckets are serving as websites.
select name, website_configuration -> 'IndexDocument' ->> 'Suffix' as suffixfrom aws_s3_bucketwhere website_configuration -> 'IndexDocument' ->> 'Suffix' is not null;
select name, json_extract(website_configuration, '$.IndexDocument.Suffix') as suffixfrom aws_s3_bucketwhere json_extract(website_configuration, '$.IndexDocument.Suffix') is not null;
List object ownership control rules of buckets
Explore which AWS S3 buckets have specific object ownership control rules. This can be useful in managing access permissions and ensuring appropriate data governance.
select b.name, r ->> 'ObjectOwnership' as object_ownershipfrom aws_s3_bucket as b, jsonb_array_elements(object_ownership_controls -> 'Rules') as r;
select b.name, json_extract(r.value, '$.ObjectOwnership') as object_ownershipfrom aws_s3_bucket as b, json_each(b.object_ownership_controls, '$.Rules') as r;
Schema for aws_s3_bucket
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
acl | jsonb | The access control list (ACL) of a bucket. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The ARN of the AWS S3 Bucket. | |
block_public_acls | boolean | Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket. | |
block_public_policy | boolean | Specifies whether Amazon S3 should block public bucket policies for this bucket. If TRUE it causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access. | |
bucket_policy_is_public | boolean | The policy status for an Amazon S3 bucket, indicating whether the bucket is public. | |
creation_date | timestamp with time zone | The date and time when bucket was created. | |
event_notification_configuration | jsonb | A container for specifying the notification configuration of the bucket. If this element is empty, notifications are turned off for the bucket. | |
ignore_public_acls | boolean | Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket. | |
lifecycle_rules | jsonb | The lifecycle configuration information of the bucket. | |
logging | jsonb | The logging status of a bucket and the permissions users have to view and modify that status. | |
name | text | The user friendly name of the bucket. | |
object_lock_configuration | jsonb | The specified bucket's object lock configuration. | |
object_ownership_controls | jsonb | The Ownership Controls for an Amazon S3 bucket. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | The resource IAM access document for the bucket. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
region | text | The AWS Region in which the resource is located. | |
replication | jsonb | The replication configuration of a bucket. | |
restrict_public_buckets | boolean | Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy. | |
server_side_encryption_configuration | jsonb | The default encryption configuration for an Amazon S3 bucket. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags assigned to bucket. | |
title | text | Title of the resource. | |
versioning_enabled | boolean | The versioning state of a bucket. | |
versioning_mfa_delete | boolean | The MFA Delete status of the versioning state. | |
website_configuration | jsonb | The website configuration information of the bucket. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_s3_bucket