Should `aws157-logs-prod` and related buckets be added to the AWS-owned S3 buckets list

[rohitagarwal003]

I noticed that aws157-logs-prod S3 bucket is not present in

data-perimeter-policy-examples/vpc_endpoint_policies/s3_endpoint_policy.json

Lines 43 to 102 in f8f53c5

	"Sid": "AllowRequestsToAWSOwnedResources",
	"Effect": "Allow",
	"Principal": "*",
	"Action": [
	"s3:GetObject",
	"s3:ListBucket"
	],
	"Resource": [
	"arn:aws:s3:::packages.<region>.amazonaws.com/*",
	"arn:aws:s3:::repo.<region>.amazonaws.com/*",
	"arn:aws:s3:::amazonlinux.<region>.amazonaws.com/*",
	"arn:aws:s3:::amazonlinux-2-repos-<region>/*",
	"arn:aws:s3:::al2023-repos-<region>-de612dc2/*",
	"arn:aws:s3:::al2023-<region>/*",
	"arn:aws:s3:::repo.<region>.emr.amazonaws.com/*",
	"arn:aws:s3:::prod.<region>.appinfo.src/*",
	"arn:aws:s3:::aws-ssm-<region>/*",
	"arn:aws:s3:::aws-windows-downloads-<region>/*",
	"arn:aws:s3:::amazon-ssm-<region>/*",
	"arn:aws:s3:::amazon-ssm-packages-<region>/*",
	"arn:aws:s3:::<region>-birdwatcher-prod/*",
	"arn:aws:s3:::aws-ssm-distributor-file-<region>/*",
	"arn:aws:s3:::aws-ssm-document-attachments-<region>/*",
	"arn:aws:s3:::patch-baseline-snapshot-<region>/*",
	"arn:aws:s3:::aws-patchmanager-macos-<region>/*",
	"arn:aws:s3:::amazoncloudwatch-agent-<region>/*",
	"arn:aws:s3:::amazoncloudwatch-agent/*",
	"arn:aws:s3:::aws-codedeploy-<region>/*",
	"arn:aws:s3:::ec2imagebuilder-toe-<region>-prod/*",
	"arn:aws:s3:::ec2imagebuilder-managed-resources-<region>-prod/components/*",
	"arn:aws:s3:::prod-<region>-starport-layer-bucket/*",
	"arn:aws:s3:::aws-mgn-clients-<region>/*",
	"arn:aws:s3:::aws-mgn-clients-hashes-<region>/*",
	"arn:aws:s3:::aws-mgn-internal-<region>/*",
	"arn:aws:s3:::aws-mgn-internal-hashes-<region>/*",
	"arn:aws:s3:::aws-application-migration-service-<region>/*",
	"arn:aws:s3:::aws-application-migration-service-hashes-<region>/*",
	"arn:aws:s3:::aws-drs-clients-<region>/*",
	"arn:aws:s3:::aws-drs-clients-hashes-<region>/*",
	"arn:aws:s3:::aws-drs-internal-<region>/*",
	"arn:aws:s3:::aws-drs-internal-hashes-<region>/*",
	"arn:aws:s3:::aws-elastic-disaster-recovery-<region>/*",
	"arn:aws:s3:::aws-elastic-disaster-recovery-hashes-<region>/*",
	"arn:aws:s3:::cloudformation-waitcondition-<region>/*",
	"arn:aws:s3:::cloudformation-custom-resource-response-<RegionWithoutDashes>/*",
	"arn:aws:s3:::aws-ec2-enclave-certificate-<region>-prod/*",
	"arn:aws:s3:::assets-<CodeArtifact-Region-Account>-<region>/*",
	"arn:aws:s3:::elasticbeanstalk-samples-<region>/*",
	"arn:aws:s3:::elasticbeanstalk-platform-assets-<region>/*",
	"arn:aws:s3:::elasticbeanstalk-env-resources-<region>/*",
	"arn:aws:s3:::elasticbeanstalk-<region>/*",
	"arn:aws:s3:::jumpstart-cache-prod-<region>/*",
	"arn:aws:s3:::jumpstart-cache-prod-<region>",
	"arn:aws:s3:::static-<region>-prod-static-<string>/content/dependencies/*",
	"arn:aws:s3:::aws-neptune-notebook",
	"arn:aws:s3:::aws-neptune-notebook/*",
	"arn:aws:s3:::aws-neptune-notebook-<region>",
	"arn:aws:s3:::aws-neptune-notebook-<region>/*"
	]
	},

In our CloudTrail log analysis (with NetworkActivity events), I noticed that we had both read and write calls to this bucket (which seems to be owned by the 514483059857 AWS account) which doesn't belong to our org.

I found references to a similar pattern (aws157-logs-${AWS::Region}/*) in https://docs.aws.amazon.com/emr/latest/ManagementGuide/private-subnet-iampolicy.html

[rohitagarwal003]

Or maybe it's covered by

data-perimeter-policy-examples/vpc_endpoint_policies/s3_endpoint_policy.json

Lines 17 to 28 in f8f53c5

	{
	"Sid": "AllowRequestsByAWSServicePrincipals",
	"Effect": "Allow",
	"Principal": "*",
	"Action": "*",
	"Resource": "*",
	"Condition": {
	"Bool": {
	"aws:PrincipalIsAWSService": "true"
	}
	}
	},

The userIdentity element says AWS Internal for invokedBy and AWSService for type.

[nitinkul1]

Yes, Service Principal calls are covered by the allow for aws:PrincipalIsAWSService key in the policy.

[rohitagarwal003]

I have the policy with the AllowRequestsByAWSServicePrincipals sid applied but when I turned it on, I started getting VpceAccessDenied errors for arn:aws:s3:::aws157-logs-prod

Here's the CloudTrail log:

{
  "eventVersion": "1.11",
  "userIdentity": {
    "type": "AWSService",
    "invokedBy": "AWS Internal"
  },
  "eventTime": "2025-12-03T16:36:45Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "CreateMultipartUpload",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "AWS Internal",
  "errorCode": "VpceAccessDenied",
  "errorMessage": "The request was denied due to a VPC endpoint policy",
  "requestID": "36CGYCHVBKK87J2E",
  "eventID": "daa84bbf-8f3e-3130-b7de-ae522224aaaa",
  "resources": [
    {
      "accountId": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::aws157-logs-prod"
    },
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::aws157-logs-prod/...[elided].../stderr.gz"
    }
  ],
  "eventType": "AwsVpceEvent",
  "recipientAccountId": "172631448019",
  "sharedEventID": "577ae97a-2bcd-48ce-aa9d-f371b42df254",
  "vpcEndpointId": "vpce-23f84a4a",
  "vpcEndpointAccountId": "172631448019",
  "eventCategory": "NetworkActivity"
}

@nitinkul1 Do you know what may be wrong? The userIdentity element in the log seems to suggest that it's an AWS service, so not sure what else needs to be allowlisted.

I also filed a ticket with AWS support: https://support.console.aws.amazon.com/support/home#/case/?displayId=176478560300046&language=en