I have inherited an Amazon AWS environment in which the Root account key has been widely distributed for the purposes of making backups to S3 buckets.
I need to track down where the key is being used, so that I can replace it with a key with limited permissions.
I've setup event notifications on the buckets to send messages to an SQS Q to tell me when objects are created. These messages contain the ip address of the server from where the object request originated, but not the IAM key in use (only the ID of the Amazon Account in use).
Cloudtrail isn't of use here either, as S3 requests are not written to Cloudtrail.
Is there any other way I can tell which key is being used when making S3 requests?
PLEASE NOTE THAT THIS IS NOT A SUGGESTED SOLUTION, MERELY AN UPDATE ON WHAT I DID. USE THE METHOD SUGGESTED ABOVE. I SHOULD HAVE UPDATED THE QUESTION.
#Thanks EEAA
I considered that, but there are hundreds of buckets in play, so it wasn't really practical. I was hoping there was somewhere in IAM that I could track down key usage.
Given that I had Events and SQS already set up, what I ended up doing eventually was to set up events on likely buckets and match the S3 event timestamp to the timestamp provided by the key-last-used timestamp from IAM.
This gave me the ip addresses of the servers that were sending requests to S3 at the same time as the Root key was being used, out of which I was able to find the root key on a few servers. Hopefully, when I check the root key over the next few days, I will no longer see it in use.
If not, I will probably have to set up logging on individual buckets as you've suggested.
In addition to Cloudtrail, you should enable logging for your S3 buckets. After doing that, AWS will start logging the canonical user ID used to make authenticated requests to S3.
Quote from AWS S3 Docs on logging fields: