Finding Requester IP Addresses for Unauthorized S3 Access
Question
Your organization has an S3 bucket that stores confidential information.
Access is granted to certain programmatic IAM users and restricted these IAM users' requests to be originated from within your organization's IP address range.
However, your organization suspects there might be requests from other IP addresses to S3 buckets to download certain objects.
How would you troubleshoot to find out the requester IP address? (choose 2 options)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B, C.
Server access logging provides detailed records for the requests that are made to a bucket.
Server access logs are useful for many applications.
For example, access log information can be useful in security and access audits.
For details on how to enable logging for S3, refer to documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overviewFor information about the format of the log file, refer to documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.htmlFor option A, S3 is a managed service and not part of VPC.
So enabling VPC flow logs does not report traffic sent to the S3 bucket.
Option B is correct.
Option C is correct.
Using the information collected by CloudTrail, you can determine what request was made to Amazon S3, the source IP address from which the request was made, who made the request, when it was made, and so on.
This information helps you to track changes made to your AWS resources and to troubleshoot operational issues.
For detailed information about how S3 requests are tracked using CloudTrail, refer to documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html#cloudtrail-logging-For option D, although CloudWatch has metrics for S3 requests, this does not provide detailed information about each request.
It generates metrics for the number of requests sent for each type.
For more information about S3 CloudWatch request metrics, refer to documentation here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudwatch-monitoring.html#s3-request-cloudwatch-metrics
To troubleshoot and find out the requester IP address that might be accessing your S3 bucket from outside your organization's IP address range, the following two options can be used:
Enable VPC flow logs in the region where S3 bucket exists: VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC. By enabling VPC flow logs, you can collect and analyze traffic data to identify the source and destination of traffic to your S3 bucket. VPC flow logs record information such as source and destination IP addresses, ports, protocol, and packets sent and received. You can then use this information to identify the IP addresses that are making requests to your S3 bucket and take appropriate actions such as blocking access to those IP addresses.
Enable server access logging: Server access logging is a feature of S3 that captures detailed information about every request made to your S3 bucket. By enabling server access logging, you can track requests to your S3 bucket and identify the requester IP address. Server access logs provide information such as the requester's IP address, time of the request, request type, HTTP status code, and more. With this information, you can identify requests that are originating from outside your organization's IP address range and take appropriate actions such as blocking access to those IP addresses.
Therefore, options A and B are the correct options to troubleshoot and find out the requester IP address that might be accessing your S3 bucket from outside your organization's IP address range.