How I can Log what and who can access and where my S3 bucket?

Question

Recently I received an email in order to tell me that some IE connections has access to my bucket:

eu-central-1|media.myapp | REST.GET.OBJECT|TLSv1|9|[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NE
eu-central-1|media.myapp | REST.GET.OBJECT|TLSv1|54|[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.1; .NET CLR 3.5.30729; .NET CLR 3.0.30618; .NET4.0C;

But I want to know what are these devices and what IP use in order to diagnose the cause of the issue (legacy infrastructure no docs). Is there a way to keep an access log on what IAM accounts and devices under which IP and MAC receive items from my bucket?

Answer 1

I'm not sure if I understand your question properly, but if you're asking how to allow only certain users or IP's to access your S3 bucket (and I'm assuming you're talking about from the Public Internet), here is a block of a bucket policy that I have used to allow, for example, only public IP addresses that I want to access the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket name>/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "<first IP/32",
                        "<second IP>/32",
                        "<third IP>/32",
                        "<fourth IP>/32"
                    ]
                }
            }
        }
    ]
}

Hopefully, that can at least point you in the right direction.

Answer 2

The Amazon S3 User Guide explains request logging.

Server access logging provides detailed records for the requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html

You will not be able to learn MAC addresses, since these are never transmitted over the Internet, but the device IP address (or public NAT address if the device is behind a NAT router) will be captured. To identify specific devices on the LAN behind a NAT router requires access to the devices and/or to the router.

The logs will also capture the IAM credentials used, if any, to access the object, will be captured in the logs.

There is nothing further that can be learned about the devices from the AWS side, beyond what is found in these logs.

Presumably, the email you are referring to is related to the fact that these devices are using TLSv1, which AWS is discontinuing support for, soon.

To respond to evolving technology and regulatory standards for Transport Layer Security (TLS), we will be updating the TLS configuration for all AWS service API endpoints to a minimum of version TLS 1.2. This update means you will no longer be able to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions by June 28, 2023.

https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

You can block old versions of TLS now, before the API changes take effect, with an appropriate deny policy. This would potentially help you identify the devices from trouble reports. By periodically adding and removing the policy for now, you might be able to identify the devices without causing a permanent outage like will happen when the API changes are pushed out by AWS. Denied requests will still be logged by S3, but will be met with HTTP 403 response and an error of AccessDenied.