How can I find out which user enabled public access to an Amazon Simple Storage Service (Amazon S3) bucket?
Review the AWS CloudTrail event history to see which user updated either the bucket access control list (ACL) or the bucket policy to allow public access.
Follow these steps to find the user by using the CloudTrail console:
1. Open the CloudTrail console.
2. From the Region selector in the navigation bar, select the AWS Region that your bucket is in.
3. From the navigation pane, choose Event history.
4. For Filter, select the filter that you want to use to find the event that granted public access to your bucket:
To filter events by your bucket's name, select Resource name, and then enter your bucket's name.
To filter events by changes to a bucket ACL, select Event name, and then enter "PutBucketAcl".
To filter events by changes to a bucket policy, select Event name, and then enter "PutBucketPolicy".
5. After you find the event that granted public access to your bucket, review the event's User name column. Then, expand the event item and choose View event to see more details, such as the user's Amazon Resource Name (ARN).
AWS Command Line Interface (AWS CLI)
Run this command to list CloudTrail events associated with your bucket (using your bucket's name):
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=example-bucket-name --region example-region
Run this command to list events that are changes to a bucket ACL:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketAcl --region example-region
Run this command to list events that are changes to a bucket policy:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketPolicy --region example-region