S3 Public Access Card

Flag public, conditionally public, and cross-account grants in a pasted S3 bucket policy

Analysis runs entirely in your browser. The policy text, bucket names, account IDs, ARNs, principals, and Block Public Access settings are not uploaded, logged, or stored. This is a heuristic review aid, not a substitute for a full security review.

Paste your bucket policy above and select Analyze access to see the public-access findings.

About the S3 public access card

The S3 public access card turns a pasted Amazon S3 bucket policy into a quick read on who can reach your objects before you approve a storage change. Paste the policy JSON, optionally paste the bucket's Block Public Access settings, and select analyze access. The tool inspects every Allow statement and lists the grants that widen access, each with an exposure type, a risk level, and a short reason. It then gives you a PR review note to drop into a pull request and a CSV of the findings for an audit log.

The point is to make the risky grants easy to spot. A wildcard principal that opens objects to the whole internet is flagged high so it does not get lost in a long policy, a grant scoped only by an open SourceIp range stays high, and a cross-account or service-principal grant is called out separately so you can confirm it is intended. The analysis runs entirely in your browser. The policy text is not uploaded, logged, or stored, which matters because a bucket policy can reveal bucket names, AWS account IDs, ARNs, and external principals. This is a review aid, not a policy engine, so read the full policy before you sign off.

How to use

  1. Copy the effective bucket policy JSON for the bucket you are reviewing, including the Statement block.
  2. Paste the policy into the first box. A sample policy and Block Public Access settings are loaded so you can see the format the tool expects.
  3. Optionally paste the bucket's Block Public Access settings as JSON so the tool can show whether they mitigate the public grants.
  4. Select analyze access to see the statement counts, the risk counts, and a per-statement findings table ordered with the highest severity first.
  5. Review the high-risk rows first. These cover public-internet grants and public grants left open by an all-internet SourceIp range.
  6. Copy the PR review note into your pull request or download the CSV for your audit log, then read the full policy before you approve the change.

Worked examples

A statement with Principal set to "*" and no Condition

A wildcard principal grants access to anyone on the internet, so it is flagged high risk as a public-internet exposure. Replace it with specific principals or add a scoping Condition.

A wildcard principal scoped by an aws:SourceIp of 0.0.0.0/0

An open CIDR does not restrict who can reach the bucket, so the grant stays high risk even though a Condition is present. A specific IP range would lower it to conditionally public.

A grant to an arn:aws:iam account principal in another account

Access for a principal outside this policy's account is flagged medium risk as a cross-account grant so you can confirm the partner account is trusted and scoped.

Frequently asked questions

What do I paste in?
The effective S3 bucket policy as JSON, and optionally the bucket's Block Public Access settings as JSON with the four flags BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, and RestrictPublicBuckets. The tool reads the Statement block of the policy and uses the settings to show whether public grants are currently blocked.
How does it decide the risk level?
It uses deterministic heuristics. An Allow statement with a wildcard principal and no scoping Condition is high risk as a public-internet grant, and a wildcard principal scoped only by an open SourceIp (0.0.0.0/0 or ::/0) stays high. A wildcard principal narrowed by a real Condition such as a specific IP range, VPC, or organization is medium as conditionally public. A grant to an external account or canonical user is medium as cross-account, and a grant to an AWS service principal is low.
How do the Block Public Access settings change the result?
When both BlockPublicPolicy and RestrictPublicBuckets are on, public grants made through a bucket policy are blocked at the account or bucket level, so the tool downgrades a public-internet finding to medium and notes that the grant is still present in the policy. The recommended fix is to remove the public grant rather than rely on Block Public Access to mask it.
Is my policy uploaded anywhere?
No. The analysis runs entirely in your browser. The policy text, bucket names, account IDs, ARNs, principals, resources, and Block Public Access settings are never uploaded, logged, or stored, and they are not included in any analytics. Only coarse, anonymous counts are recorded so we can tell how often the tool is used.
What does it not check yet?
The first version reads the bucket policy and Block Public Access settings. It does not evaluate bucket or object ACLs, it does not resolve NotPrincipal Allow statements, it does not call the AWS API or IAM Access Analyzer, and it does not read CloudFormation or Terraform. It also honors most Condition keys by presence rather than by value, with an open-CIDR SourceIp check as the one value-aware case. Always read the full policy and keep using your cloud posture tooling if your team has one.
Is the S3 public access card free?
Yes. It is free to use and does not require an account.

Use this again tomorrow

Save this page so it's one tap away when you need a quick result.

Bookmark this tool

Take a 2-minute brain break.

Play Daily Challenge on sts.games

Related tools

Try another quick utility while you are here.

Kubernetes RBAC Verb Matrix

Risk-rank pasted Role and ClusterRole YAML.

Terraform Plan Blast Radius Card

Risk-rank a pasted terraform plan.

More tools

Browse the rest of the toolkit.