S3 requests that return Access Denied exceptions
0
Created On 09/26/18 13:45 PM - Last Modified 07/19/22 23:08 PM
Symptom
Symptoms
AWS CloudTrail logs contain AccessDenied events similar to the following:
{
eventVersion: "1.04",
userIdentity: {
type: "AssumedRole",
principalId: "AAAAAAAAAAAAAAAAAAAAA:esp",
arn: "arn:aws:sts::111111111111:assumed-role/Evident-Service-Role/esp",
accountId: "111111111111",
sessionContext: {
attributes: {
mfaAuthenticated: "false",
creationDate: "2017-05-14T23:45:08Z"
},
sessionIssuer: {
type: "Role",
principalId: "AAAAAAAAAAAAAAAAAAAAA:esp",
arn: "arn:aws:iam::111111111111:role/Evident-Service-Role",
accountId: "111111111111",
userName: "Evident-Service-Role"
}
}
},
eventTime: "2017-05-15T00:01:44Z",
eventSource: "s3.amazonaws.com",
eventName: "GetBucketLocation",
awsRegion: "us-west-2",
sourceIPAddress: "192.192.192.192",
userAgent: "",
errorCode: "AccessDenied",
errorMessage: "Access Denied",
requestParameters: {
bucketName: "fake-bucket",
location: [
""
]
},
responseElements: null,
requestID: "1111111111111111",
eventID: "11111111-1111-1111-1111-111111111111",
eventType: "AwsApiCall",
recipientAccountId: "111111111111"
},
Other logs may also include similar AccessDenied messages/events.
Diagnosis
S3 Bucket Permission
For each bucket that generates Access Denied errors, check the bucket policy to make sure access is not denied to Evident-Service-Role.
CloudTrail with External S3 Bucket
Check if any CloudTrails are writing to an external S3 bucket.
Resolution
S3 Bucket Permission
Modify the affected S3 bucket's policy so that Evident role is allowed access to the bucket's attributes.
CloudTrail with External S3 Bucket
Configure CloudTrails to write to local S3 buckets.