2 Answers
- Newest
- Most votes
- Most comments
0
- Storage lens doesn't provide the information of, who accessed the data. You'd want to setup cloudtrail for s3 data events and then query the cloudtrail data through atena for certain actions/prefixes/users etc. To get access to an s3 object/objects, there are two parts:
- IAM user/role must have access to that s3 bucket and key/prefix
- Bucket policy must not have explicit deny for that s3 prefix for same account access and for cross account, bucket policy must allow access to that IAM user/role(IAM principal) for that prefix/key explicitly
Refer Managing access to your Amazon S3 resources and cross account permissions examples
- You can definitely limit access to certain prefixes in an s3 bucket to certain user/roles(IAM Principals per say) through s3 bucket policy. Who so ever would have access to cloudtrail which is capturing s3 data events and cloudtrail logs bucket where cloudtrails logs are being stored, would be able to access that information. Definitely, you'd want to limit this access to certain users/roles only for audit perspective. Refere Querying AWS CloudTrail logs
Comment here if you have additional questions, happy to help.
Abhishek
Relevant content
- asked 8 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago