Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How can I determine the actions performed by IAM roles on Amazon S3 buckets for cost analysis

I am currently working on analyzing the costs associated with different AWS services for each IAM role. Specifically, I am focusing on Amazon S3 buckets. I am using the AWS Cost and Usage Report to gather information about resource usage and costs.

My goal is to match the resource IDs in the cost and usage report with the actions performed by each IAM role on S3 buckets. This would allow me to accurately attribute costs to specific actions taken by IAM roles.

Is there a method or tool available that would enable me to retrieve the actions performed by each IAM role on S3 buckets? I am open to using APIs, AWS CLI commands, or any other suitable approach to accomplish this task.

I have looked into CloudTrail logs and the policies attached to IAM roles. However, these approaches have not provided me with the exact actions performed.

Tags:

2

Answers


  1. 0

    When an API request is made, AWS will check that the credentials used have permission to make the API call. If so, then the operation takes place but the identity of who requested the action is not recorded in S3. For example, if somebody creates a bucket, then the bucket does not ‘remember’ who asked for it.

    The only location where the ‘requester’ is associated with an API call is in AWS CloudTrail. You would need to find the API call in the Trail that resulted in the resource being created.

    This will be made more difficult by the fact that many costs in S3 are not directly related to an API call. For example:

    • Storing an object in a bucket has an immediate cost of a PUT request ($0.005 per 1000 requests), but the longer-term cost of storage ($0.023 per GB per month) is not easily linked to the original PUT
    • Retrieving an object with a GET request costs $0.0004 per 1000 requests, but might also involve Data Transfer costs that can’t be tied back to the actual GET request (and Data Transfer is often a major cost)

    You would have more success grouping costs by the Bucket used, which could be associated with a particular use-case. However, Data Transfer probably can’t be associated with a particular bucket.

    Worst case, you could use separate AWS Accounts for groups within your organisation, which will allow costs to be associated to a particular group of users or a particular use-case.

    Login or Signup to reply.
  2. 0

    Is there a method or tool available that would enable me to retrieve the actions performed by each IAM role on S3 buckets?

    No and CUR does not give you this level of granularity.

    I have looked into CloudTrail logs and the policies attached to IAM roles. However, these approaches have not provided me with the exact actions performed.

    What specific actions are you looking for? Have you enabled S3 data events?

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search