IAM Access Advisor Issue or Cloud Tail Bug?

0

Hello there,

We are having a weird situation where IAM Access Analyzer shows that the Specific IAM User has called actions on Amazon S3(Especially ListAllMyBuckets) Service on region us-east-1. But Cloud Trail doesn't show any logs. Am I missing something?

Screenshots: IAM User Screen Access Analyzer S3

I don't know which one to trust.

3 Antworten
1

It appears that the IAM user does not have access via the console, yet there are two access keys associated with the account. Notably, the second access key was utilized "yesterday." If you've been using Amazon S3, it's possible you're the owner of this IAM user. Running a simple command like aws s3 ls is adequate to register in the Access Advisor, as illustrated in the accompanying image. The "ListAllBucket" action indicates that you have the permission granted by this policy, even though it hasn't been utilized. Notably, the Access Advisor exclusively displays permissions granted to the specific IAM user in question.

profile picture
EXPERTE
beantwortet vor 6 Monaten
profile picture
EXPERTE
überprüft vor 6 Monaten
  • Then Cloud Trail should log aws s3 ls event right? Cloud Tail has 0 entry about that event.

0
Akzeptierte Antwort

Issue is we didn't turn on CloudTrail Data Events. By default CloudTrail logs only Management Events. We had to enable Data Events to monitor the activities that were performed within resources. Caution: Additional Charges are applied for enabling Data Events

beantwortet vor 4 Monaten
0

This does not show that the user called ListAllMyBuckets. IAM access analyzer is showing that it ListAllMyBuckets is an allowed action but you see that it was "Not accessed in the tracking period." Do you have an example of where it shows that you have run that operation that is concerning?

AWS
beantwortet vor 6 Monaten
  • We are moving away from IAM User to Instance Profile. We have done the changes two weeks ago, But we didn't deactivate the key to monitor it's usage. But currently that key is being used somewhere. As you can see from the First screenshot service "Amazon S3" was used "Yesterday" (Please check the last accessed column)

    Therefore tried to search the same in CloudTrail to get more details about it. But CloudTrail has 0 entries for Yesterday for that user.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen