By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 object access

0
  • Is it possible to get insights on which account is reading objects in a bucket in S3 (Using storage lens for instance)?
  • Can we limit access (For who can read the object) on an object by object basis without using ACLs? If so, how to do so? If we use this method, would any account with read-write to the object be able to see which other accounts also have read-write to it?
Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceStorage
Language
English
Il Bc
asked 11 days ago394 views
2 Answers
1

Hello.

Is it possible to get insights on which account is reading objects in a bucket in S3 (Using storage lens for instance)?

I think it is possible to understand to some extent where access is occurring from by recording data events in the S3 server access log and CloudTrail trail settings.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

Can we limit access (For who can read the object) on an object by object basis without using ACLs? If so, how to do so? If we use this method, would any account with read-write to the object be able to see which other accounts also have read-write to it?

I think it is possible to control access to objects and folders using bucket policies.
However, the maximum bucket policy is 20 KB, so if you have a large number of files to limit, it is better to use ACL etc.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html

profile picture
EXPERT
Riku_Kobayashi
answered 11 days ago
profile pictureAWS
EXPERT
AWS-User-alantam
reviewed 11 days ago
0
  1. Storage lens doesn't provide the information of, who accessed the data. You'd want to setup cloudtrail for s3 data events and then query the cloudtrail data through atena for certain actions/prefixes/users etc. To get access to an s3 object/objects, there are two parts:
  • IAM user/role must have access to that s3 bucket and key/prefix
  • Bucket policy must not have explicit deny for that s3 prefix for same account access and for cross account, bucket policy must allow access to that IAM user/role(IAM principal) for that prefix/key explicitly

Refer Managing access to your Amazon S3 resources and cross account permissions examples

  1. You can definitely limit access to certain prefixes in an s3 bucket to certain user/roles(IAM Principals per say) through s3 bucket policy. Who so ever would have access to cloudtrail which is capturing s3 data events and cloudtrail logs bucket where cloudtrails logs are being stored, would be able to access that information. Definitely, you'd want to limit this access to certain users/roles only for audit perspective. Refere Querying AWS CloudTrail logs

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 11 days ago
profile pictureAWS
EXPERT
AWS-User-alantam
reviewed 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content