"Access Denied" not showing on CloudTrail

2

Our **CloudTrail **is opened for all Managements Events, We are trying to upload to S3 Bucket with only Readonly **Permission **- in application level we get "Access Denied" error. We do not see this Event in CloudTrail. (We do see lots of other events but do not see any permission error events from API calls)

3 Answers
6

AWS Management Events in CloudTrail will not record the object level requests. If you want to record them, you must configure separate CloudTrail (according to the AWS best practices) for CloudTrail data events to get information about bucket and object-level requests in Amazon S3.

This link will help you understand how it works and properly configures the CloudTrail data events - https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html

c3nIvo
answered 2 years ago
  • I opened both Management & Data events in CloudTrail for all regions. I have no filter on the events. I see only GetBucketAcl and ListBuckets via API but I do not see the following events:

    1. Fail to upload to S3 bucket due to Access Denied permission errors
    2. Success uploading to S3 What should I do in order to see all S3 events ?
  • Is the CloudTrail configured to record data events for the bucket that you are testing with?

    The event that you are looking for contains the following information:

    'eventName': 'PutObject', 'errorCode': 'AccessDenied', 'errorMessage': 'Access Denied'

0

Hi! Along with what others have answered: Events are mostly categorized into 3 categories: Management Events, Data Events, and Insight Events.

What you'll typically see in AWS CloudTrail are Management Events. For example, S3 CreateBucket, S3 ListBuckets, S3 GetBucketAcl.

Data Events can be configured for S3 via: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html. Keep in mind these will be slightly different than how you may expect events: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-examples You may also need to create a different trail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html

Data Events can get pricey to log, so some strategies are:

  • Enable Data Events where it's important to grab data-level events (sensitive data, other use cases, security).
  • For troubleshooting, turn data events on for troubleshooting and off when done.

Another tip: Categories/Filters can be shown/hidden in CloudTrail to show/hide columns in console.

jsonc
answered 2 years ago
  • Hi, I still do not see any PutObject success/GetObject success/ PutObject failure with access denied. I read all docs, I opened all events type and added appropriate filter - I tried anything but still do not see these events. I do see GetBucketList and IsBucketExist events. I need a support from AWS. Thanks

  • Hi, I still do not see any PutObject success/GetObject success/ PutObject failure with access denied. I read all docs, I opened all events type and added appropriate filter - I tried anything but still do not see these events. I do see GetBucketList and IsBucketExist events. I need a support from AWS. Thanks

-1

I am pretty sure that you won't find a Data Event (aka an Object-level Call via CloudTrail Event) for Access Denied. The Object-level Events are limited to things like PutObject, DeleteObject, several related to Mulitpart Upload and some related to tagging. There are others, too, but none are about Access Denied.

The AccessDeniedException you are looking for is really an STS common error. https://docs.aws.amazon.com/STS/latest/APIReference/CommonErrors.html

If you check this link, you will see an error code of 400 and an error message of "You do not have sufficient access to perform this action" for this error. And, since this error message comes from STS or Security Token Service you should be looking for events with the following criteria:

detail.eventSource = sts.amazonaws.com

detail.errorCode = 400

detail.errorMessage starts with "You do not have sufficient access"

Note: I have not actually set up this particular scenario so I cannot say for sure that these values are exactly correct but you can try it out yourself to see what is in the Event JSON. Usually, when learning what is in any given Event JSON, I set up an EventBridge Rule with a Lambda Function handler. The Lambda Function doesn't do anything except write the entire event to the context logger. Then when I look at the Monitor > Logs in the Lambda Function after the Event has happened, I can see the full JSON payload. If you do the same, you will probably learn exactly what you need to look for.

I am curious at this point and might just set it up to see what happens. If I do, I will post my results here.

TheSpunicorn

answered 2 years ago
  • Now I'm not so sure I am confident in my answer. As I think about it more, I'm thinking that the Event in question is GetObject with a source of aws.s3 (or eventSource of s3.amazonaws.com). With that GetObject Event, there would probably be an errorCode of 400 or 4xx and probably an error message about not having access.

    My suggestion about having an EventBridge Rule is probably bad because Events whose names start with 'Get' are not processed by EventBridge.

    I might look a little further into what I can find for CloudTrail logging 'GetObject' from S3 as I think ultimately you are looking for errors that have happened when someone is going 'GetObject' for an object for which they do not have access.

    TheSpunicorn

  • After a little digging, I found that you might be able to query your CloudTrail logs using Athena and look for GetObject requests. If you did that, you could refine the query so that it finds GetObject requests that had an error. I have not done much with Athena yet so I probably wouldn't have time to set all of this up to try it for you. But you can look in the doc here to see about the query you would need. There are some query examples in this document:

    https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-request-identification.html#ct-examples-identify-object-access-requests

    TheSpunicorn

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions