stackoom
  简体   繁体   中英

How to identify which policy/role is granting access to S3 bucket

 原文  2019-02-21 22:09:09       amazon-web-services/ amazon-s3/ amazon-cognito/ amazon-iam/ aws-amplify

Question

I have a Cognito pool / Federated identity setup with users receiving temporary IAM credentials via AWS Amplify. These users have access to getObject from a couple S3 buckets even though:

  • The buckets have all public access disabled
  • The buckets policy page is blank
  • The IAM role associated to the Cognito groups that these users are members of (Trust Relationship with cognito-identity.amazonaws.com) have no policies attached that grant any S3 permissions. Policies attached are only for AppSync, Cognito, and APIGateway

If I create a new bucket and point getObject at a contained object, the users get 403 Forbidden, an indication that some bucket-specific policy somewhere is granting access. Problem is we have so many policies and roles, many used in production, so I can't simply do on/off testing to narrow it down.

Is there a way somehow to trace what policy/role is providing access for a specific S3 getObject request?

EDIT I've run the IAM Policy Simulator for the role associated with the Cognito groups and it gives denied for the objects in question.

The objects I'm trying to have access correctly blocked for have no permissions set for them. The buckets have:

  • Block new public ACLs and uploading public objects (Recommended): True
  • Remove public access granted through public ACLs (Recommended): True
  • Block new public bucket policies (Recommended): True
  • Block public and cross-account access if bucket has public policies (Recommended): True

UPDATE I've added cloudtrail logging to my buckets. While an event with eventname = 'GetObject' is logged for any downloads I do from the bucket via console, no events are logged for s3.getObject downloads via the AWS javascript SDK. How can I get these events to log?

1 answers

solution1
 0  2019-02-21 22:46:13

Use CloudTrail to log Amazon S3 API Calls .

An event logged in CloudTrail for S3 actions includes information about the requested action, the date and time of the action, request parameters, and the user identity , for example:

  • arn:aws:iam::123456789012:user/Alice
  • arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question S3 IAM policy for one bucket not granting access S3 PutObject operation gives Access Denied with IAM Role containing Policy granting access to S3 Cognito Role and AWS S3 Bucket policy for mobile and web access S3 Bucket Policy and IAM Role Conflicting S3 bucket access restriction with bucket policy What is the role of policy ID for an s3 bucket policy? Granting write access for the Authenticated Users to S3 bucket Granting AWS Config access to the Amazon S3 Bucket How to describe S3 Bucket policy for preventing access error How to change Public access to private for S3 Bucket Policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM