Does CloudTrail IAM also lock S3 down?

Hello Armstrong,

I do not understand the last part of your question asking if AWS will "disallow User B access to the S3 bucket as well".

By default, a user does not have access to the S3 bucket. The S3 documentation article "How Amazon S3 Authorizes a Request for an Object Operation" makes this very clear [1]. If you did not already read this documentation page, I highly recommend it.

AWS first checks the so called "User context":

"If the requester is an IAM user, the user must have permission from the parent AWS account to which it belongs. In this step, Amazon S3 evaluates a subset of policies owned by the parent account (also referred as the context authority). This subset of policies includes the user policy that the parent attaches to the user. If the parent also owns the resource in the request (bucket, object), Amazon S3 evaluates the corresponding resource policies (bucket policy, bucket ACL, and object ACL) at the same time."

So in your case I would conclude: Granting user A access to a S3 resource does not influence permissions given to other users (such as user B). As far as I know, CloudTrail does not automatically create any "deny" statement in the resource policies (e.g. bucket policy, bucket ACL, and object ACL) of the CloudTrail S3 bucket. However, this is also not necessary at all, since the users in your account will not be able to access the bucket by default – if you did not give them explicit permission to do so (by e.g. assigning them the S3 Admin policy).

If you want to make sure that no one in your account can access or modify the CloudTrail logs, just send them to another account within the same organization and restrict access to it. There was a recent discussion in this forum how this can be accomplished [2].

[1] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html

[2] Forum Discussion about CloudTrail Security Best-Practice