Who turned on public access to my Amazon S3 bucket?

2 minute read
0

How can I find out which user turned on public access to an Amazon Simple Storage Service (Amazon S3) bucket?

Resolution

Review the AWS CloudTrail event history to see which user updated either the bucket access control list (ACL) or the bucket policy to allow public access.

Note: CloudTrail event history shows logs of up to 90 days. If the event occurred after 90 days, you must query and analyze CloudTrail logs delivered to your bucket.

CloudTrail console

Follow these steps to find the user by using the CloudTrail console:

  1. Open the CloudTrail console.
  2. From the Region selector in the navigation bar, select the AWS Region that your bucket is in.
  3. From the navigation pane, choose Event history.
  4. For Lookup attribute, select the filter that you want to use to find the event that granted public access to your bucket:
    To filter events by your bucket's name, select Resource name, and then enter your bucket's name.
    To filter events by changes to a bucket ACL, select Event name, and then enter "PutBucketAcl".
    To filter events by changes to a bucket policy, select Event name, and then enter "PutBucketPolicy".
  5. After you find the event that granted public access to your bucket, review the event's User name column. Then, expand the event item and choose View event to see more details, such as the user's Amazon Resource Name (ARN).

AWS Command Line Interface (AWS CLI)

Run this command to list CloudTrail events associated with your bucket (using your bucket's name):

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=example-bucket-name --region example-region

Run this command to list events that are changes to a bucket ACL:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketAcl --region example-region

Run this command to list events that are changes to a bucket policy:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketPolicy --region example-region

Related information

Viewing events with CloudTrail Event history

CloudTrail record contents

lookup-events

AWS OFFICIAL
AWS OFFICIALUpdated a year ago