I have a Cognito pool / Federated identity setup with users receiving temporary IAM credentials via AWS Amplify. These users have access to getObject from a couple S3 buckets even though:
If I create a new bucket and point getObject at a contained object, the users get 403 Forbidden, an indication that some bucket-specific policy somewhere is granting access. Problem is we have so many policies and roles, many used in production, so I can't simply do on/off testing to narrow it down.
Is there a way somehow to trace what policy/role is providing access for a specific S3 getObject request?
EDIT I've run the IAM Policy Simulator for the role associated with the Cognito groups and it gives denied for the objects in question.
The objects I'm trying to have access correctly blocked for have no permissions set for them. The buckets have:
UPDATE I've added cloudtrail logging to my buckets. While an event with eventname = 'GetObject' is logged for any downloads I do from the bucket via console, no events are logged for s3.getObject
downloads via the AWS javascript SDK. How can I get these events to log?
Use CloudTrail to log Amazon S3 API Calls .
An event logged in CloudTrail for S3 actions includes information about the requested action, the date and time of the action, request parameters, and the user identity , for example:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.