Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

list-buckets option to get extra --details about buckets #22

Closed
simonw opened this issue Nov 8, 2021 · 5 comments
Closed

list-buckets option to get extra --details about buckets #22

simonw opened this issue Nov 8, 2021 · 5 comments
Labels
enhancement New feature or request
Milestone
1.0

Comments

@simonw
Copy link
Owner

simonw commented Nov 8, 2021

The S3 security best practices in https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#security-best-practices-prevent suggest:

Use the ListBuckets API to scan all of your Amazon S3 buckets. Then use GetBucketAcl, GetBucketWebsite, and GetBucketPolicy to determine whether the bucket has compliant access controls and configuration.

list-buckets could do this with an extra --details option (since it adds 3 new API calls per bucket).
@simonw simonw added the enhancement New feature or request label Nov 8, 2021
@simonw simonw added this to the 1.0 milestone Nov 8, 2021
@simonw
Copy link
Owner Author

simonw commented Nov 8, 2021

Relevant to:

@simonw
Copy link
Owner Author

simonw commented Nov 8, 2021

Example output from my prototype:

{
    "Name": "dogsheep-photos-simon",
    "CreationDate": "2020-04-18 19:36:25+00:00",
    "bucket_acl": {
        "Owner": {
            "DisplayName": "swillison",
            "ID": "36b2eeee501c5952a8ac119f9e5212277a4c01eccfa8d6a9d670bba1e2d5f441"
        },
        "Grants": [
            {
                "Grantee": {
                    "DisplayName": "swillison",
                    "ID": "36b2eeee501c5952a8ac119f9e5212277a4c01eccfa8d6a9d670bba1e2d5f441",
                    "Type": "CanonicalUser"
                },
                "Permission": "FULL_CONTROL"
            }
        ]
    },
    "public_access_block": {
        "BlockPublicAcls": true,
        "IgnorePublicAcls": true,
        "BlockPublicPolicy": true,
        "RestrictPublicBuckets": true
    },
    "bucket_website": null
}

@simonw
Copy link
Owner Author

simonw commented Nov 8, 2021

Since this is an expensive operation per bucket, I'm going to add the ability to pass one or more specific bucket names to the command.

@simonw simonw closed this as completed in 8e20798 Nov 9, 2021
@simonw
Copy link
Owner Author

simonw commented Nov 9, 2021

Documentation: https://github.com/simonw/s3-credentials/blob/8e207980a23738e5e9119902d1314d51669431e4/README.md#list-buckets

@simonw
Copy link
Owner Author

simonw commented Nov 9, 2021

Here's the updated --help:

% s3-credentials list-buckets --help
Usage: s3-credentials list-buckets [OPTIONS] [BUCKETS]...

  List buckets - defaults to all, or pass one or more bucket names

Options:
  --details             Include extra bucket details (slower)
  --array               Output a valid JSON array
  --nl                  Output newline-delimited JSON
  --access-key TEXT     AWS access key ID
  --secret-key TEXT     AWS secret access key
  --session-token TEXT  AWS session token
  --endpoint-url TEXT   Custom endpoint URL
  --help                Show this message and exit.

simonw added a commit that referenced this issue Nov 11, 2021
@simonw
Release 0.5
794e440 
Refs #15, #16, #17, #22, #27, #30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
1 participant
@simonw