I have a Cognito pool / Federated identity setup with users receiving temporary IAM credentials via AWS Amplify. These users have access to getObject from a couple S3 buckets even though:
- The buckets have all public access disabled
- The buckets policy page is blank
- The IAM role associated to the Cognito groups that these users are members of (Trust Relationship with cognito-identity.amazonaws.com) have no policies attached that grant any S3 permissions. Policies attached are only for AppSync, Cognito, and APIGateway
If I create a new bucket and point getObject at a contained object, the users get 403 Forbidden, an indication that some bucket-specific policy somewhere is granting access. Problem is we have so many policies and roles, many used in production, so I can't simply do on/off testing to narrow it down.
Is there a way somehow to trace what policy/role is providing access for a specific S3 getObject request?
EDIT I've run the IAM Policy Simulator for the role associated with the Cognito groups and it gives denied for the objects in question.
The objects I'm trying to have access correctly blocked for have no permissions set for them. The buckets have:
- Block new public ACLs and uploading public objects (Recommended): True
- Remove public access granted through public ACLs (Recommended): True
- Block new public bucket policies (Recommended): True
- Block public and cross-account access if bucket has public policies (Recommended): True
UPDATE I've added cloudtrail logging to my buckets. While an event with eventname = 'GetObject' is logged for any downloads I do from the bucket via console, no events are logged for s3.getObject downloads via the AWS javascript SDK. How can I get these events to log?
