Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

"Access Denied" not showing on CloudTrail

2

Our **CloudTrail **is opened for all Managements Events, We are trying to upload to S3 Bucket with only Readonly **Permission **- in application level we get "Access Denied" error. We do not see this Event in CloudTrail. (We do see lots of other events but do not see any permission error events from API calls)

Argomenti
Sicurezza, identità e conformitàStrumenti per sviluppatoriGestione e amministrazione
Tag
Gestione identità e accesso AWSMonitoraggio e registrazioneAWS CloudTrail
Lingua
English
Haimon
posta 2 anni fa7023 visualizzazioni
3 Risposte
6

AWS Management Events in CloudTrail will not record the object level requests. If you want to record them, you must configure separate CloudTrail (according to the AWS best practices) for CloudTrail data events to get information about bucket and object-level requests in Amazon S3.

This link will help you understand how it works and properly configures the CloudTrail data events - https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

c3nIvo
con risposta 2 anni fa
  • Haimon
    2 anni fa

    I opened both Management & Data events in CloudTrail for all regions. I have no filter on the events. I see only GetBucketAcl and ListBuckets via API but I do not see the following events:

    1. Fail to upload to S3 bucket due to Access Denied permission errors
    2. Success uploading to S3 What should I do in order to see all S3 events ?
  • c3nIvo
    2 anni fa

    Is the CloudTrail configured to record data events for the bucket that you are testing with?

    The event that you are looking for contains the following information:

    'eventName': 'PutObject', 'errorCode': 'AccessDenied', 'errorMessage': 'Access Denied'

  • mahesh
    12 giorni fa

    I still don't see the access denied error getting recorded in CloudTrail. I have enabled the Dataevents , different trail, other settings mentioned here. I have IAM user (with S3 read only) and I have tried to copy an file to S3 bucket using the AWS CLI( aws s3 cp ..) and I have got the access denied error response from CLI, but I don't see the error recorded in CloudTrail. Could someone please provide the exact steps to generate the "Access denied " and captured by CloudTrail. Thanks in advance.

    AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=../a4D aws s3 cp /Users/nemo/Downloads/config1.json s3://test-bucket/ upload failed: ../../../config1.json to s3://test-bucket/config1.json An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

0

Hi! Along with what others have answered: Events are mostly categorized into 3 categories: Management Events, Data Events, and Insight Events.

What you'll typically see in AWS CloudTrail are Management Events. For example, S3 CreateBucket, S3 ListBuckets, S3 GetBucketAcl.

Data Events can be configured for S3 via: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html. Keep in mind these will be slightly different than how you may expect events: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-examples You may also need to create a different trail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html

Data Events can get pricey to log, so some strategies are:

  • Enable Data Events where it's important to grab data-level events (sensitive data, other use cases, security).
  • For troubleshooting, turn data events on for troubleshooting and off when done.

Another tip: Categories/Filters can be shown/hidden in CloudTrail to show/hide columns in console.

jsonc
con risposta 2 anni fa
  • Haimon
    2 anni fa

    Hi, I still do not see any PutObject success/GetObject success/ PutObject failure with access denied. I read all docs, I opened all events type and added appropriate filter - I tried anything but still do not see these events. I do see GetBucketList and IsBucketExist events. I need a support from AWS. Thanks

  • Haimon
    2 anni fa

    Hi, I still do not see any PutObject success/GetObject success/ PutObject failure with access denied. I read all docs, I opened all events type and added appropriate filter - I tried anything but still do not see these events. I do see GetBucketList and IsBucketExist events. I need a support from AWS. Thanks

-1

I am pretty sure that you won't find a Data Event (aka an Object-level Call via CloudTrail Event) for Access Denied. The Object-level Events are limited to things like PutObject, DeleteObject, several related to Mulitpart Upload and some related to tagging. There are others, too, but none are about Access Denied.

The AccessDeniedException you are looking for is really an STS common error. https://docs.aws.amazon.com/STS/latest/APIReference/CommonErrors.html

If you check this link, you will see an error code of 400 and an error message of "You do not have sufficient access to perform this action" for this error. And, since this error message comes from STS or Security Token Service you should be looking for events with the following criteria:

detail.eventSource = sts.amazonaws.com

detail.errorCode = 400

detail.errorMessage starts with "You do not have sufficient access"

Note: I have not actually set up this particular scenario so I cannot say for sure that these values are exactly correct but you can try it out yourself to see what is in the Event JSON. Usually, when learning what is in any given Event JSON, I set up an EventBridge Rule with a Lambda Function handler. The Lambda Function doesn't do anything except write the entire event to the context logger. Then when I look at the Monitor > Logs in the Lambda Function after the Event has happened, I can see the full JSON payload. If you do the same, you will probably learn exactly what you need to look for.

I am curious at this point and might just set it up to see what happens. If I do, I will post my results here.

TheSpunicorn

TheSpunicorn
con risposta 2 anni fa
  • TheSpunicorn
    2 anni fa

    Now I'm not so sure I am confident in my answer. As I think about it more, I'm thinking that the Event in question is GetObject with a source of aws.s3 (or eventSource of s3.amazonaws.com). With that GetObject Event, there would probably be an errorCode of 400 or 4xx and probably an error message about not having access.

    My suggestion about having an EventBridge Rule is probably bad because Events whose names start with 'Get' are not processed by EventBridge.

    I might look a little further into what I can find for CloudTrail logging 'GetObject' from S3 as I think ultimately you are looking for errors that have happened when someone is going 'GetObject' for an object for which they do not have access.

    TheSpunicorn

  • TheSpunicorn
    2 anni fa

    After a little digging, I found that you might be able to query your CloudTrail logs using Athena and look for GetObject requests. If you did that, you could refine the query so that it finds GetObject requests that had an error. I have not done much with Athena yet so I probably wouldn't have time to set all of this up to try it for you. But you can look in the doc here to see about the query you would need. There are some query examples in this document:

    https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-request-identification.html#ct-examples-identify-object-access-requests

    TheSpunicorn

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente