Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 object access

0
  • Is it possible to get insights on which account is reading objects in a bucket in S3 (Using storage lens for instance)?
  • Can we limit access (For who can read the object) on an object by object basis without using ACLs? If so, how to do so? If we use this method, would any account with read-write to the object be able to see which other accounts also have read-write to it?
Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceSicherheit, Identität & KonformitätSpeicher
Sprache
English
Il Bc
gefragt vor einem Monat421 Aufrufe
2 Antworten
1

Hello.

Is it possible to get insights on which account is reading objects in a bucket in S3 (Using storage lens for instance)?

I think it is possible to understand to some extent where access is occurring from by recording data events in the S3 server access log and CloudTrail trail settings.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

Can we limit access (For who can read the object) on an object by object basis without using ACLs? If so, how to do so? If we use this method, would any account with read-write to the object be able to see which other accounts also have read-write to it?

I think it is possible to control access to objects and folders using bucket policies.
However, the maximum bucket policy is 20 KB, so if you have a large number of files to limit, it is better to use ACL etc.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Monat
profile pictureAWS
EXPERTE
AWS-User-alantam
überprüft vor einem Monat
0
  1. Storage lens doesn't provide the information of, who accessed the data. You'd want to setup cloudtrail for s3 data events and then query the cloudtrail data through atena for certain actions/prefixes/users etc. To get access to an s3 object/objects, there are two parts:
  • IAM user/role must have access to that s3 bucket and key/prefix
  • Bucket policy must not have explicit deny for that s3 prefix for same account access and for cross account, bucket policy must allow access to that IAM user/role(IAM principal) for that prefix/key explicitly

Refer Managing access to your Amazon S3 resources and cross account permissions examples

  1. You can definitely limit access to certain prefixes in an s3 bucket to certain user/roles(IAM Principals per say) through s3 bucket policy. Who so ever would have access to cloudtrail which is capturing s3 data events and cloudtrail logs bucket where cloudtrails logs are being stored, would be able to access that information. Definitely, you'd want to limit this access to certain users/roles only for audit perspective. Refere Querying AWS CloudTrail logs

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERTE
secondabhi_aws
beantwortet vor einem Monat
profile pictureAWS
EXPERTE
AWS-User-alantam
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt