S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail

Question

We are receiving some events in Cloudtrail every day that AWS Config cannot execute the HeadBucket-Event to its S3 bucket. See Cloudtrail event below.  
AWS Config has full access to that S3 bucket and events are logged fine.  
  
How can we avoid this event in Cloudtrail? Or maybe this is a bug in AWS?

```
"eventVersion": "1.05",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "config.amazonaws.com"
    },
    "eventTime": "2019-06-28T07:04:33Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "HeadBucket",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "o-op-c3s-config-XXXXXXX",
        "Host": "o-op-c3s-config-XXXXXXX.s3.eu-central-1.amazonaws.com"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-SHA",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "XXXXXXXX",
        "bytesTransferredOut": 243
    },
    "requestID": "7F64F2B43ECBAF50",
    "eventID": "d73d8811-7ef7-49fd-8ee7-fc132478ed2e",
    "readOnly": true,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "arn:aws:s3:::o-op-c3s-config-XXXXXXX/"
        },
        {
            "accountId": "XXXXXXX",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::o-op-c3s-config-XXXXX"
        }
    ],
    "eventType": "AwsApiCall",
    "recipientAccountId": "XXXXXXX",
    "sharedEventID": "24fbb551-99e9-41f7-96ef-f1ca01769e9f",
    "vpcEndpointId": "vpce-XXXXXX"
}
```

Answer

Thanks, been seeing this in my cloudtrail as well. There's a typo in the policy, add a comma after Action line:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSConfigBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3::: YOUR_BUCKET_NAME"
        }
    ]
}
```

Answer

Looking at my Source IP in the error it displays as "AWS Internal" which I cannot add as the service name and errors on saving.

Answer

Hi,  
  
I am getting this error in my Cloudtrail logs every few minutes. I have tried adding this policy to the S3 Bucket policy directly but doesn't seem to fix the issue.  
  
This error triggers my unauthorized api call metric alarm  
  
Any help would be appreciated.

Answer

Thanks for bringing this issue to our attention. We apologize for any inconvenience this has caused. We can confirm that AWS Config is delivering recorded data to your configured S3 bucket correctly.  The AccessDenied error logs for HeadBucket API calls you are seeing in CloudTrail is a side effect of a check we introduced last week. We are making a HeadBucket API call to check for the existence of the S3 bucket and determine the region in which the S3 bucket is located before delivering the data. This was added so that data can be delivered efficiently to S3 buckets located in regions different from where Config data was recorded.  You can update your S3 bucket policy to include s3:ListBucket permissions for config.amazonaws.com to stop the AccessDenied events from getting logged in your CloudTrail logs.  
  
------------------------------------------------------------------------------------  
Here is a sample S3 bucket policy   
  
{  
  "Version": "2012-10-17",  
  "Statement": \[  
    {  
      "Sid": "AWSConfigBucketPermissionsCheck",  
      "Effect": "Allow",  
      "Principal": {  
        "Service": \[  
         "config.amazonaws.com"  
        ]  
      },  
      "Action": "s3:ListBucket"  
     "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"  
    }  
  ]  
}     
----------------------------------------------------------------------------------------------------------  
  
\[1] S3 Head Bucket API reference https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketHEAD.html

S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:ListBucket"
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}

Relevanter Inhalt

S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AWSConfigBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": [ "config.amazonaws.com" ] }, "Action": "s3:ListBucket" "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" } ] }

Relevanter Inhalt

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:ListBucket"
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}