0

How do I find which S3 buckets an EC2 instance has access to?

My company has many S3 buckets. Our workflow is that we use an internal piece of software to set up an EC2 instance with the right permission using AWS lambdas (which I do not have access to). The permissions include access to one S3 bucket, depending on the current use-case (which client we are working with). We can view files from the other buckets, but only download from the one associated with that instance.

Currently we have to look up the name of the bucket in a spreadsheet depending on which client we are dealing with at the time. Is there a way to figure out which bucket we are connected to from within the EC2 instance?

Michael Barrowman
  • 953
  • 7
  • 14

1 Answers1

0

Generally no, that is fundamentally impossible. IAM cannot tell you what you can potentially do prior to you actually trying to do it. It cannot tell you what buckets you have access to, it can only tell you wether or not you have access to a specific bucket when you actually try to access it.

But: You can of course try to parse a policy attached to an IAM identity if you know that your policies always have well-defined pattern / structure. In that case parse the policy document (it is just plain json) and extract the bucket identifier that is in there somewhere.

luk2302
  • 55,258
  • 23
  • 97
  • 137
  • How can I get the policy document from within EC2? – Michael Barrowman Sep 10 '21 at 08:13
  • 1
    @MichaelBarrowman You can find the role / instance profile used on the EC2 instance via https://stackoverflow.com/questions/47313778/find-role-being-used-on-server-from-aws-cli and then e.g. https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html and https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html and then https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html and https://docs.aws.amazon.com/cli/latest/reference/iam/list-policy-versions.html and https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html – luk2302 Sep 10 '21 at 09:00