AWS S3 Bucket Security: Troubleshooting Requester IP Addresses

Finding Requester IP Addresses for Unauthorized S3 Access

Prev Question Next Question

Question

Your organization has an S3 bucket that stores confidential information.

Access is granted to certain programmatic IAM users and restricted these IAM users' requests to be originated from within your organization's IP address range.

However, your organization suspects there might be requests from other IP addresses to S3 buckets to download certain objects.

How would you troubleshoot to find out the requester IP address? (choose 2 options)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B, C.

Server access logging provides detailed records for the requests that are made to a bucket.

Server access logs are useful for many applications.

For example, access log information can be useful in security and access audits.

For details on how to enable logging for S3, refer to documentation here.

https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview

For information about the format of the log file, refer to documentation here.

https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html

For option A, S3 is a managed service and not part of VPC.

So enabling VPC flow logs does not report traffic sent to the S3 bucket.

Option B is correct.

Option C is correct.

Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request, when it was made, and so on.

This information helps you to track changes made to your AWS resources and to troubleshoot operational issues.

For detailed information about how S3 requests are tracked using CloudTrail, refer to documentation here.

https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html#cloudtrail-logging-

For option D, although CloudWatch has metrics for S3 requests, this does not provide detailed information about each request.

It generates metrics for the number of requests sent for each type.

For more information about S3 CloudWatch request metrics, refer to documentation here.

https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudwatch-monitoring.html#s3-request-cloudwatch-metrics
Amazon $3 Object-Level Actions Tracked by CloudTrail Logging

You can also get CloudTrail logs for object-level Amazon S3 actions. To do this, specify the Amazon S3 object for your
trail. When an object-level action occurs in your account, CloudTrail evaluates your trail settings. If the event matches
the object that you specified in a trail, the event is logged. For more information, see Data Events in the AWS
CloudTrail User Guide. The following table lists the object-level actions that CloudTrail can log:

To troubleshoot and find out the requester IP address that might be accessing your S3 bucket from outside your organization's IP address range, the following two options can be used:

  1. Enable VPC flow logs in the region where S3 bucket exists: VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC. By enabling VPC flow logs, you can collect and analyze traffic data to identify the source and destination of traffic to your S3 bucket. VPC flow logs record information such as source and destination IP addresses, ports, protocol, and packets sent and received. You can then use this information to identify the IP addresses that are making requests to your S3 bucket and take appropriate actions such as blocking access to those IP addresses.

  2. Enable server access logging: Server access logging is a feature of S3 that captures detailed information about every request made to your S3 bucket. By enabling server access logging, you can track requests to your S3 bucket and identify the requester IP address. Server access logs provide information such as the requester's IP address, time of the request, request type, HTTP status code, and more. With this information, you can identify requests that are originating from outside your organization's IP address range and take appropriate actions such as blocking access to those IP addresses.

Therefore, options A and B are the correct options to troubleshoot and find out the requester IP address that might be accessing your S3 bucket from outside your organization's IP address range.