By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Who turned on public access to my Amazon S3 bucket?

3 minute read
0

I want to find the user who turned on public access to my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

Review the AWS CloudTrail event history to find the user who updated the bucket access control list (ACL) or the bucket policy to allow public access.

Note: CloudTrail event histories show logs for up to the past 90 days. If the event occurred more than 90 days ago, then you must query the CloudTrail logs in your bucket to get the information.

To review your CloudTrail event logs, use one of the following:

  • The CloudTrail console
  • The AWS Command Line Interface (AWS CLI)

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the CloudTrail console

To find the user who turned on public access to your S3 bucket, complete the following steps:

  1. Open the CloudTrail console.
  2. From the Region selector in the navigation bar, choose the AWS Region that your bucket is in.
  3. From the navigation pane, choose Event history.
  4. For Lookup attribute, select the filter that you want to use to find the event that granted public access to your bucket:
    To filter events by your bucket's name, select Resource name, and then enter your bucket's name.
    To filter events by changes to a bucket ACL, select Event name, and then enter PutBucketAcl.
    To filter events by changes to a bucket policy, select Event name, and then enter PutBucketPolicy.
  5. After you find the event that granted public access to your bucket, review the event's User name column. Then, expand the event item and choose View event record to see more details, such as the user's Amazon Resource Name (ARN).

Use the AWS CLI

To list all the CloudTrail events that are associated with your bucket, run the following lookup-events command:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=example-bucket-name --region example-region

To list only the events where your bucket was changed, run the following command:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketAcl --region example-region

To list only the events where you bucket's policy was changed, run the following command:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketPolicy --region example-region

Related information

Working with CloudTrail Event history

CloudTrail record contents

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago