By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I find the external IP address associated with each upload to my Amazon S3 bucket?

3 minute read
1

My team or other third parties upload files to my Amazon Simple Storage Service (Amazon S3) bucket. I want to know the external IP address used to upload these files because my bucket policy might allow access only for specific IP addresses.

Short description

To find the IP addresses for upload and download object-level requests to Amazon S3, you must first start one of the following logging methods:

  • Amazon S3 server access logging captures all bucket-level and object-level events. These logs use a format similar to Apache web server logs.
  • AWS CloudTrail data events provide information about the resource operations performed on or in a resource. For example, CloudTrail data event logs contain Amazon S3 object-level API activity on objects in S3 buckets, such as GetObject, DeleteObject, and PutObject API operations.

Resolution

Important: It's a best practice to create a new bucket specifically for logs that's separate from the bucket that you want to monitor. A separate bucket for logs avoids the risk of getting logs about logs.

Turn on Amazon S3 server access logging

To turn on Amazon S3 server access logging, see Enabling Amazon S3 server access logging.

Note: It might a few hours before S3 creates the logs

After you turn on server access logging, review the logs to find the IP addresses used with each upload to your bucket. For example, in the following log for a PutObject request, the IP address appears after the timestamp [07/Dec/2018:07:03:01 +0000]:

82a7646e61f102aa3e17exampleef08969060fa39927b8232b5a4166d279dcc7 exampleawsbucket [07/Dec/2018:07:03:01 +0000] <b>205.251.233.256</b> arn:aws:sts::111111111111:assumed-role/admin/myuser 07F2D340F08E7171 REST.PUT.OBJECT my_object.jpg "PUT /exampleawsbucket/my_object.jpg?X-Amz-Security-Token=AgoGb3JpZ2luEF.......woa2o4AU%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20181207T070301Z&X-Amz-SignedHeaders=content-md5%3Bcontent-type%3Bhost%3Bx-amz-acl%3Bx-amz-storage-class&X-Amz-Expires=300&X-Amz-Credential=ASIA5BQEXAMPLEGB3S7U%2F20181207%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1" 200 - - 1347 29 11 "https://s3.console.aws.amazon.com/s3/buckets/exampleawsbucket/?region=us-west-2&tab=overview" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" -

Turn on object-level logging with AWS CloudTrail data events

To turn on AWS CloudTrail data events, see Enabling CloudTrail event logging for S3 buckets and objects.

Note: It might a few hours before CloudTrail creates the logs.

After you turn on object-level logging with data events, review the logs to find the IP addresses used with each upload to your bucket. For example, in the following log for a PutObject request, the IP address is listed as the "sourceIPAddress":

{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAI63YEXAMPLEAP4M5O:myuser",
        "arn": "arn:aws:sts::111111111111:assumed-role/admin/myuser",
        "accountId": "111111111111",
        "accessKeyId": "ASIA5BQEXAMPLEGB3S7U",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAI63YEXAMPLEAP4M5O",
                "arn": "arn:aws:iam::111111111111:role/admin",
                "accountId": "111111111111",
                "userName": "admin"
            },
            "attributes": {
                "creationDate": "2018-12-07T06:43:45Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2018-12-07T07:23:19Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "PutObject",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "205.251.233.256",
    "userAgent": "[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36]",
    "requestParameters": {
        "X-Amz-Date": "20181207T072319Z",
        "bucketName": "exampleawsbucket",
        "X-Amz-Algorithm": "AWS4-HMAC-SHA256",
        "x-amz-acl": "private",
        "X-Amz-SignedHeaders": "content-md5;content-type;host;x-amz-acl;x-amz-storage-class",
        "X-Amz-Expires": "300",
        "key": "my_object.jpg",
        "x-amz-storage-class": "STANDARD"
    },
    "responseElements": null,
    "additionalEventData": {
        "x-amz-id-2": "8KQRGXIqWzLGiCV67PY8CHyh81yPjaVu7nkq3gK4ZuMYXo1THZhmbu5J/ck+Di+VHIixb18hRoU="
    },
    "requestID": "9B9842C4FFAAA3E8",
    "eventID": "af0615fa-1d25-4e04-b280-b1e73b558aaa",
    "readOnly": false,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARN": "arn:aws:s3:::exampleawsbucket/my_object.jpg"
        },
        {
            "accountId": "111111111111",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::exampleawsbucket"
        }
    ],
    "eventType": "AwsApiCall",
    "recipientAccountId": "111111111111"
}

Related information

Creating, configuring, and working with Amazon S3 buckets

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
No comments

Relevant content