Certified Security - Specialty

Sign Up Free or Log In to participate!

Use case of S3read only access and CloudtrailRead Only

If there is a bucket ‘A’, granting a user no access to S3, I give him Cloudtrail readonly access, how does that work? Will the user be able to access the cloudtrail logs in the s3?

What does it mean to have a CloudTrailReadOnly access, when the storage location is S3 bucket?

2 Answers


I would need to do some testing, but I think the key to this issue is what is accessing the logs in the S3 bucket ?

CloudTrail is primarily a collection tool.    CloudTrail / trail  is an archiving services that uses S3, and it only needs S3 GetBucket ACLt and PutObject permissions.

Once in S3, further analysis is by other tools starting with CloudWatch Logs and CloudWatch Events, Athena and extending to 3rd party tools. It is these servies that would need to read the objects in S3.

– https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-working-with-log-files.html

– https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

– https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html

I am not sure if i have answered your questions, but I hope this sets you on the right path.



Gray Panther

I think the user won’t have access to the bucket, even if he has readonly permission on cloudtrail as there’s an explicit deny which will over rule readonly allow. Correct me if i am wrong.

Would that user have access to the short term logs in Cloudtrail before they are transferred to the S3 bucket? (The hidden bucket as mentioned in the last lecture) Or does that disappear when you enable the full cloudtrail?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?