Customers can enable Access Analyzer
... but is it free?
At its re:Invent event under way in Las Vegas, Amazon Web Services (AWS) dropped the veil on a new tool to help customers to avoid spewing data stored on its S3 (Simple Storage) service to world+dog. "Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the …
Access Analyzer for S3 is available at no additional cost in the S3 Management Console in all commercial AWS Regions, excluding the AWS China (Beijing) Region and the AWS China (Ningxia) Region. Access Analyzer for S3 is also available through APIs in the AWS GovCloud (US) Regions.
This post has been deleted by its author
Yes it's free.
"Access Analyzer for S3 is available at no additional cost in the S3 Management Console in all commercial AWS Regions, excluding the AWS China (Beijing) Region and the AWS China (Ningxia) Region. Access Analyzer for S3 is also available through APIs in the AWS GovCloud (US) Regions."
I think this is just a response to the high-profile 'blunders' which have been down to human error (but looks bad on AWS unfairly). This will be just another resource which AWS can say 'look - we have this easy to use, free tool for them, yet the user is still an idiot and ignored it or any of the other best practice advice we have given'.
For example when you make a bucket public it alerts you and is very visible on the console afterwards. A person also will need to deliberately attach an open resource policy to the bucket, yet this still isn't enough.
It is free, although as I and a fellow AWS user discovered, there is at least one strange behaviour as we noted on their forum: https://forums.aws.amazon.com/thread.jspa?messageID=925452
Definitely odd that their own tooling showed an impossible-for-the-customer-to-achieve configuration, that has magically vanished, and a slight worry as this related to AWS managed key in KMS!