3

I've created an AWS S3 bucket to backup my Postgres DB. It was all going well but then I enabled Logging and started to get a bunch of Access Denied logs.

I thought I had messed something up in my backup routine, so I created a brand new bucket under a new name and just enabled the logging, but did nothing else. And now I'm getting the Access Denied logs again.

They read:

<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>...</RequestId>
  <HostId>
    ...
  </HostId>
</Error>

Under Permissions, I am the only authorized user, with full access, and there's also the S3 log delivery group with write and read permissions.

Any ideas on what's causing these access denied requests? I have to stress that I haven't tried to do anything with this bucket, I just created it and enabled logging. (I am new to AWS S3 so I might be missing something very simple.)

bplmp
  • 131
  • 2
  • It could be someone trying to access your bucket with randomly generated bucket names. You haven't given us enough information to give you any concrete information - include a few of the full errors in your post if you want more help. – Tim Aug 22 '17 at 20:17
  • @Tim the errors are all the same as the one above, except all have different HostIds. They also happen in bursts of roughly 5 errors per minute for about 3 minutes, then stop for 2 minutes or so and start again. – bplmp Aug 22 '17 at 20:25
  • S3 buckets exist in one big namespace. Is it possible you picked a name that might be common and someone else maybe is trying to use it also? – c3st7n Aug 22 '17 at 20:35
  • @c3st7n Not sure if this is the case... Both of the bucket names I am using are 18-20 characters in length and do not contain common words. But I will try to create another bucket with a long, random name and see if the error is reproducible. – bplmp Aug 22 '17 at 21:01
  • @c3st7n I think you were right. My random UUID bucket is getting no access denied attempts, while the other one has gotten more than 150 in a couple of hours. I will now prefix my bucket names with a UUID. – bplmp Aug 22 '17 at 21:37
  • *"They read"* ...that isn't a "log" you are looking at. That's an error message about what you are trying to look at. **You** are being denied access to whatever you are trying to fetch (a log?) from your bucket. The `RequestId` and `HostId` are unique request identifiers for troubleshooting, that AWS Support can use to trace down that specific request. They will vary with each request you make. – Michael - sqlbot Aug 22 '17 at 23:41
  • Also, don't configure a bucket to write logs to itself. Every log file that the system uploads will trigger another logfile, logging the upload of the previous logfile, which will trigger another logfile, which will be uploaded, which will trigger another logfile... the system won't go crazy with this, but it will trigger an infinite cascade of small logfiles, dozens per day at least. – Michael - sqlbot Aug 22 '17 at 23:43
  • @Michael-sqlbot thanks for the tip on not writing logs to the bucket itself. But I don't think it was me being denied access, simply because I wasn't trying to access or do anything with the bucket. I was accessing it through the S3 web interface, and hadn't tried to do anything else with it after creating. I think c3st7n was right because after a couple of days now there are no logs with access denied messages in my bucket with the long, random name. – bplmp Aug 24 '17 at 13:53
  • The only thing, though, is that ` AccessDenied Access Denied ... ... ` is **not** a log entry. That isn't what the logs look like. That is a "you cannot download this object" error directed at you, right now, as you are attempting to download the object. – Michael - sqlbot Aug 24 '17 at 16:34

1 Answers1

1

As Michael says in the comments, this is message telling YOU that YOU'RE denied access to this log file as it's trying to load in the browser.

Try clicking the "Download" button for this object in the S3 interface. You should get a text file with the actual log in it.

Tony Kau
  • 11
  • 1