To check whether S3 buckets are publicly accessible, you can use the bucket permissions check in the Amazon S3 console, or you can use the AWS Trusted Advisor Amazon S3 bucket permissions check.

If you have a large number of S3 buckets in your AWS account, you can use AWS Config to quickly identify which buckets allow public read or write access. Additionally, you can set up AWS Config to notify you if any S3 buckets become publicly accessible after your initial review.

To create AWS Config rules that flag which S3 buckets are publicly accessible, follow these steps:

Note: Before you use AWS Config to analyze your S3 buckets, be sure to set up AWS Config on your AWS account.

1. Open the AWS Config console and set the region selector to an
   AWS Region that supports AWS Config rules.
   Note: AWS Config performs the compliance check for buckets in the corresponding AWS Region. If you have buckets in multiple regions, set up AWS Config rules in each Region.
2. In the navigation pane, choose Rules.
3. Choose + Add rule.
4. In the search bar, type "s3-bucket-public-read-prohibited". Then, choose the s3-bucket-public-read-prohibited rule
   . This rule flags buckets that allow public read access as Noncompliant.
5. Choose Save.
6. Choose + Add rule.
7. In the search bar, type "s3-bucket-public-write-prohibited". Then, choose the s3-bucket-public-write-prohibited rule. This rule flags buckets that allow public write access as Noncompliant.
8. Choose Save.

It might take several minutes for AWS Config to complete the evaluation of your S3 buckets based on the new rules. After the AWS Config evaluation is complete, open the Rules page from the AWS Config console. Then, open each rule to see which S3 buckets are flagged as noncompliant—noncompliant buckets are those that allow either public write or read access from the internet.

To set up notifications from AWS Config when an S3 bucket becomes noncompliant (allows public write or read access), see Notifications that AWS Config sends.