AWS Storage
The AWS Storage Analyzer provides comprehensive analysis of cloud storage configurations and usage, focusing on S3 buckets and EBS volumes. It surfaces access patterns, encryption status, policy compliance, and potential security vulnerabilities.
Required Blueprints: AWS
Sightlines
| Sightline | Description |
|---|---|
| All Buckets | Surfaces overall bucket inventory, sizing, access frequency, and distribution metrics. |
| Public Buckets | Identifies publicly accessible buckets and their grant permissions. |
| Buckets hosting static sites | Tracks buckets used for static site hosting and their size distribution. |
| Bucket Versioning | Shows versioning status across buckets for data protection compliance. |
| Buckets with Embedded Policy | Monitors embedded (inline) bucket policies and their access levels. |
| Buckets with IAM Policy | Tracks IAM policies attached to buckets and their access distributions. |
| Buckets with Tags | Monitors tagging compliance across S3 buckets. |
| User Access for Buckets | Provides visibility into which users have access to S3 and their access patterns. |
| Group Access for Buckets | Tracks group-level S3 access including empty groups with direct permissions. |
| Role Access for Buckets | Monitors role-based S3 access including federated users and unused roles. |
| Bucket Access Analysis | Analyzes bucket access patterns including denied/allowed accesses, trends, and inactivity. |
| Bucket Anonymous Access Analysis | Tracks anonymous access attempts to S3 buckets, both allowed and denied. |
| Service Access for Buckets | Surfaces EC2 instances with S3 access and users who reach S3 through EC2. |
| Bucket Encryption Analysis | Shows encryption status and algorithm distribution across buckets. |
| Objects | Tracks object-level metrics including size, read/write activity, and count trends. |
| Tags | Shows tag details for individual buckets and shared tags across buckets. |
| Policies | Displays inline and IAM policy details and access distributions for individual buckets. |
| Access Analysis | Shows top users who frequently access a specific bucket. |
| Buckets with CloudFront CDN | Identifies buckets hosting static content for CloudFront and their enabled status. |
| Buckets Logging Analysis | Monitors CloudTrail logging and server access logging configurations for buckets. |
| Bucket Access | Shows buckets accessible through IAM policies and per-user access breakdowns. |
| Access Events for S3 Objects | Displays the latest access events for S3 objects. |
| Buckets with Replication | Monitors replication configurations and rule status across buckets. |
| User Access Policies for Buckets | Breaks down user access to S3 by inline and IAM policy type, with full vs partial access. |
| Objects Within Buckets | Tracks object size, read/write trends, and count trends within individual buckets. |
| Buckets with Public Access | Monitors public access block configurations across buckets. |
| EBS Volume | Surfaces EBS volume inventory, unused volumes, encryption status, and storage events. |
| EBS Snapshot | Monitors EBS snapshot sharing, public exposure, encryption, and volume size distribution. |
Explorer Node Types
Use these node types in Explorer or KAI to query resources surfaced by this analyzer:
aws.s3.Bucket, aws.s3.Grant, aws.s3.Grantee, aws.s3.Object, aws.s3.ReplicationConfiguration, aws.s3.LoggingEnabled, aws.ec2.Volume, aws.ec2.Snapshot
Related Analyzers
- AWS IAM — Bucket policies and user/role access control
- AWS Compute — EC2 instances that access S3 buckets
- AWS Network — S3 endpoints and network access patterns
- IaC — S3 buckets created and managed via CloudFormation/Terraform