Amazon S3 find which user/role is used to update/upload and Object

Question

What is the easiest way to get the user/role used to update/upload an object to S3?

I object is still in the bucket. Just want to know who did it.

tried CLI didn't find anything. CloudTrail could be an option as well I guess.

Answer 1

From Logging Amazon S3 API Calls by Using AWS CloudTrail - Amazon Simple Storage Service:

Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3. CloudTrail captures a subset of API calls for Amazon S3 as events, including calls from the Amazon S3 console and from code calls to the Amazon S3 APIs.

Answer 2

The easiest way would be to enable S3 server access logging:

AWS Console -> S3 -> Choose your bucket -> Properties -> Choose target bucket (where wou want your logs to be stored) -> Save

Each request is saved as one row in logs. It's not just for get requests, it's for all types of requests.

In logs, you would look for Requester:

The canonical user ID of the requester, or a - for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.

You can see more details in official documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html