-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcheckS3BucketPerms.js
116 lines (105 loc) · 3.54 KB
/
checkS3BucketPerms.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// Load the SDK and UUID
var AWS = require('aws-sdk');
// Create an S3 client
var s3 = new AWS.S3();
s3.listBuckets(function(err, buckets) {
if (err) console.log(err, err.stack); // an error occurred
else checkPublicBuckets(buckets); // successful response
});
function checkPublicBuckets(bucketJson){
for (let bucket of bucketJson['Buckets']) {
let params = {
Bucket: bucket['Name']
};
s3.getBucketAcl(params, function(err, bucketAclJson) {
if (err) console.log(err, err.stack); // an error occurred
else {
//Check bucket permissions for Authenticated Users and Everyone
console.log(params.Bucket + ' --- ' + checkGrants(bucketAclJson));
s3.getBucketPolicy(params, function(err, bucketPolicyJson) {
if (err) {
if (err.code !== "NoSuchBucketPolicy") {
console.log(err, err.stack);
}
}
else {
if (bucketPolicyJson !== null) {
console.log(params.Bucket + ' --- Policy --- ' + checkPolicy(bucketPolicyJson));
}
}
});
//Get bucket objects
var bucketObjectsJson = retrieveBucketObjects(params.Bucket, null);
}
});
}
}
function retrieveBucketObjects(bucketName, continuationToken){
var params = {
Bucket: bucketName,
MaxKeys: 1000,
ContinuationToken: continuationToken
};
s3.listObjectsV2(params, function(err, bucketObjectsJson) {
if (err) console.log(err, err.stack); // an error occurred
else {
checkBucketObjects(bucketObjectsJson);
if (bucketObjectsJson['IsTruncated']) {
//truncated call. use recursion to finish
retrieveBucketObjects(bucketName, bucketObjectsJson['NextContinuationToken']);
}
}
});
}
function checkBucketObjects(bucketObjectsJson){
var bucketName = bucketObjectsJson['Name'];
for (let s3Obj of bucketObjectsJson['Contents']) {
(function(){
let params = {
Bucket: bucketName,
Key: s3Obj['Key']
};
s3.getObjectAcl(params, function(err, objectAclJson) {
if (err) {
console.log('s3://' + params.Bucket + '/' + s3Obj['Key'] + ' --- ERROR RETRIEVING PERMISSIONS');
console.log(err, err.stack); // an error occurred
}
else {
//Check bucket permissions for Authenticated Users and Everyone
console.log('s3://' + params.Bucket + '/' + s3Obj['Key'] + ' --- ' + checkGrants(objectAclJson));
}
});
})();
}
}
function checkPolicy(policyJson){
var worstPolicyPermissions = 'Private';
var policy = JSON.parse(policyJson.Policy);
for (let statement of policy['Statement']) {
if (statement['Principal'] == '*' && statement['Effect'] == 'Deny' && statement['Action'] == '*') {
return 'Private';
}
if (statement['Principal'] == '*' && statement['Effect'] == 'Allow') {
worstPolicyPermissions = 'Everyone --- ' + statement['Action'] + ' --- ' + statement['Resource'];
}
}
console.log(worstPolicyPermissions);
return worstPolicyPermissions;
}
function checkGrants(grantsJson){
var worstGrantType = 'Private';
for (let grant of grantsJson['Grants']) {
if (grant['Grantee']['Type'] == 'Group') {
if (grant['Grantee']['URI'].search('AllUsers') >= 0) {
worstGrantType = 'Everyone';
} else {
if (grant['Grantee']['URI'].search('AuthenticatedUsers') >= 0) {
if (worstGrantType == 'Private') {
worstGrantType = 'Authenticated Users';
}
}
}
}
};
return worstGrantType;
}