steampipe plugin install awssteampipe plugin install aws

Table: aws_s3_bucket

An Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services' (AWS) Simple Storage Service (S3), an object storage offering.

Examples

Basic info

select
  name,
  region,
  account_id,
  bucket_policy_is_public
from
  aws_s3_bucket;

List buckets with versioning disabled

select
  name,
  region,
  account_id,
  versioning_enabled
from
  aws_s3_bucket
where
  not versioning_enabled;

List buckets with default encryption disabled

select
  name,
  server_side_encryption_configuration
from
  aws_s3_bucket
where
  server_side_encryption_configuration is null;

List buckets that do not block public access

select
  name,
  block_public_acls,
  block_public_policy,
  ignore_public_acls,
  restrict_public_buckets
from
  aws_s3_bucket
where
  not block_public_acls
  or not block_public_policy
  or not ignore_public_acls
  or not restrict_public_buckets;

List buckets that block public access through bucket policies

select
  name,
  bucket_policy_is_public
from
  aws_s3_bucket
where
  bucket_policy_is_public;

List buckets where the server access logging destination is the same as the source bucket

select
  name,
  logging ->> 'TargetBucket' as target_bucket
from
  aws_s3_bucket
where
  logging ->> 'TargetBucket' = name;

List buckets without the 'application' tags key

select
  name,
  tags ->> 'fizz' as fizz
from
  aws_s3_bucket
where
  tags ->> 'application' is not null;

List buckets that enforce encryption in transit

select
  name,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s ->> 'Condition' as conditions,
  ssl
from
  aws_s3_bucket,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  jsonb_array_elements_text(s -> 'Action') as a,
  jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl
where
  p = '*'
  and s ->> 'Effect' = 'Deny'
  and ssl :: bool = false;

List buckets that do not enforce encryption in transit

select
  name
from
  aws_s3_bucket
where
  name not in (
    select
      name
    from
      aws_s3_bucket,
      jsonb_array_elements(policy_std -> 'Statement') as s,
      jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
      jsonb_array_elements_text(s -> 'Action') as a,
      jsonb_array_elements_text(s -> 'Condition' -> 'Bool' -> 'aws:securetransport') as ssl
    where
      p = '*'
      and s ->> 'Effect' = 'Deny'
      and ssl :: bool = false
  );

List bucket policy statements that grant external access for each bucket

select
  title,
  p as principal,
  a as action,
  s ->> 'Effect' as effect,
  s -> 'Condition' as conditions
from
  aws_s3_bucket,
  jsonb_array_elements(policy_std -> 'Statement') as s,
  jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
  string_to_array(p, ':') as pa,
  jsonb_array_elements_text(s -> 'Action') as a
where
  s ->> 'Effect' = 'Allow'
  and (
    pa [ 5 ] != account_id
    or p = '*'
  );

List buckets with object lock enabled

select
  name,
  object_lock_configuration ->> 'ObjectLockEnabled' as object_lock_enabled
from
  aws_s3_bucket
where
  object_lock_configuration ->> 'ObjectLockEnabled' = 'Enabled';

List buckets with website hosting enabled

select
  name,
  website_configuration -> 'IndexDocument' ->> 'Suffix' as suffix
from
  aws_s3_bucket
where
  website_configuration -> 'IndexDocument' ->> 'Suffix' is not null;

List object ownership control rules of buckets

select
  b.name,
  r ->> 'ObjectOwnership' as object_ownership
from
  aws_s3_bucket as b,
  jsonb_array_elements(object_ownership_controls -> 'Rules') as r;

Query examples

Control examples

.inspect aws_s3_bucket

AWS S3 Bucket

Name	Type	Description
_ctx	jsonb	Steampipe context in JSON form, e.g. connection_name.
account_id	text	The AWS Account ID in which the resource is located.
acl	jsonb	The access control list (ACL) of a bucket.
akas	jsonb	Array of globally unique identifier strings (also known as) for the resource.
arn	text	The ARN of the AWS S3 Bucket.
block_public_acls	boolean	Specifies whether Amazon S3 should block public access control lists (ACLs) for this bucket and objects in this bucket.
block_public_policy	boolean	Specifies whether Amazon S3 should block public bucket policies for this bucket. If TRUE it causes Amazon S3 to reject calls to PUT Bucket policy if the specified bucket policy allows public access.
bucket_policy_is_public	boolean	The policy status for an Amazon S3 bucket, indicating whether the bucket is public.
creation_date	timestamp with time zone	The date and time when bucket was created.
event_notification_configuration	jsonb	A container for specifying the notification configuration of the bucket. If this element is empty, notifications are turned off for the bucket.
ignore_public_acls	boolean	Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. Setting this element to TRUE causes Amazon S3 to ignore all public ACLs on this bucket and objects in this bucket.
lifecycle_rules	jsonb	The lifecycle configuration information of the bucket.
logging	jsonb	The logging status of a bucket and the permissions users have to view and modify that status.
name	text	The user friendly name of the bucket.
object_lock_configuration	jsonb	The specified bucket's object lock configuration.
object_ownership_controls	jsonb	The Ownership Controls for an Amazon S3 bucket.
partition	text	The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policy	jsonb	The resource IAM access document for the bucket.
policy_std	jsonb	Contains the policy in a canonical form for easier searching.
region	text	The AWS Region in which the resource is located.
replication	jsonb	The replication configuration of a bucket.
restrict_public_buckets	boolean	Specifies whether Amazon S3 should restrict public bucket policies for this bucket. Setting this element to TRUE restricts access to this bucket to only AWS service principals and authorized users within this account if the bucket has a public policy.
server_side_encryption_configuration	jsonb	The default encryption configuration for an Amazon S3 bucket.
tags	jsonb	A map of tags for the resource.
tags_src	jsonb	A list of tags assigned to bucket.
title	text	Title of the resource.
versioning_enabled	boolean	The versioning state of a bucket.
versioning_mfa_delete	boolean	The MFA Delete status of the versioning state.
website_configuration	jsonb	The website configuration information of the bucket.

turbot/aws