By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 HeadBucket AccessDenied Events from AWS Config are logged by CloudTrail

0

We are receiving some events in Cloudtrail every day that AWS Config cannot execute the HeadBucket-Event to its S3 bucket. See Cloudtrail event below.
AWS Config has full access to that S3 bucket and events are logged fine.

How can we avoid this event in Cloudtrail? Or maybe this is a bug in AWS?

"eventVersion": "1.05",
    "userIdentity": {
        "type": "AWSService",
        "invokedBy": "config.amazonaws.com"
    },
    "eventTime": "2019-06-28T07:04:33Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "HeadBucket",
    "awsRegion": "eu-central-1",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "o-op-c3s-config-XXXXXXX",
        "Host": "o-op-c3s-config-XXXXXXX.s3.eu-central-1.amazonaws.com"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-SHA",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "XXXXXXXX",
        "bytesTransferredOut": 243
    },
    "requestID": "7F64F2B43ECBAF50",
    "eventID": "d73d8811-7ef7-49fd-8ee7-fc132478ed2e",
    "readOnly": true,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "arn:aws:s3:::o-op-c3s-config-XXXXXXX/"
        },
        {
            "accountId": "XXXXXXX",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::o-op-c3s-config-XXXXX"
        }
    ],
    "eventType": "AwsApiCall",
    "recipientAccountId": "XXXXXXX",
    "sharedEventID": "24fbb551-99e9-41f7-96ef-f1ca01769e9f",
    "vpcEndpointId": "vpce-XXXXXX"
}
Topics
Management & Governance
Tags
AWS Config
Language
English
THeyer
asked 5 years ago2426 views
4 Answers
0

Thanks for bringing this issue to our attention. We apologize for any inconvenience this has caused. We can confirm that AWS Config is delivering recorded data to your configured S3 bucket correctly. The AccessDenied error logs for HeadBucket API calls you are seeing in CloudTrail is a side effect of a check we introduced last week. We are making a HeadBucket API call to check for the existence of the S3 bucket and determine the region in which the S3 bucket is located before delivering the data. This was added so that data can be delivered efficiently to S3 buckets located in regions different from where Config data was recorded. You can update your S3 bucket policy to include s3:ListBucket permissions for config.amazonaws.com to stop the AccessDenied events from getting logged in your CloudTrail logs.

Here is a sample S3 bucket policy

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": [
"config.amazonaws.com"
]
},
"Action": "s3:ListBucket"
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
}
]
}

[1] S3 Head Bucket API reference https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketHEAD.html

AWS
SUPPORT ENGINEER
Sameeksha_G
answered 5 years ago
0

Thanks, been seeing this in my cloudtrail as well. There's a typo in the policy, add a comma after Action line:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSConfigBucketPermissionsCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "config.amazonaws.com"
                ]
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3::: YOUR_BUCKET_NAME"
        }
    ]
}
jarrettj
answered 5 years ago
0

Hi,

I am getting this error in my Cloudtrail logs every few minutes. I have tried adding this policy to the S3 Bucket policy directly but doesn't seem to fix the issue.

This error triggers my unauthorized api call metric alarm

Any help would be appreciated.

Radweb-AWS
answered 4 years ago
0

Looking at my Source IP in the error it displays as "AWS Internal" which I cannot add as the service name and errors on saving.

Radweb-AWS
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content