Blog
AWS Cloud

AWS S3 Bucket Creation Date Discrepancy in master and other regions

Nishant Thorat
February 11, 2024
5 min read
A

WS S3 buckets are among the most commonly used AWS resource. At the same time, S3 buckets are most prone to misconfigurations. All major famous leaks generally have happened with S3 bucket misconfigurations. For this reason, the cloud teams continuously keep track of S3 bucket configurations.

The AWS resource inventory is common way of keeping track of the AWS resources. The OSS projects such as CloudQuery, Steampipe and Scout Suite are used by many cloud teams for this purpose.

The AWS resources are either global or region-wise. Services such as IAM are completely global, while resources such as EC2 are regional. The S3 bucket is one weird creature with a global namespace, even spanning beyond the usual AWS account bubble. At the same time, S3 buckets are associated with regions. S3 buckets are created in a region. This is typically done to reduce latency, minimize costs, or address regulatory requirements.

We collect the AWS resources information with AWS service APIs such as Describe/Get/List. S3 buckets are listed with list-buckets API. Since S3 buckets are regional specific we would call this API region-wise. And this is when we noticed one interesting discrepancy in S3 bucket creation time information.

S3 Bucket CreationDate discrepancy
S3 Bucket CreationDate discrepancy

The same bucket amplify-testfigma-staging-164952-deployment shows a different creation time.

More digging into the issue took us to the AWS documentation for this API.

CreationDate -> (timestamp)
Date the bucket was created. This date can change when making changes to your bucket, such as editing its bucket policy.

After some more digging, we stumbled upon the AWS CLI issue reported in github and Mark Sayson’s blog post. An AWS support engineer wrote:

This is expected behavior due to the design of the service. The GET Service call in S3 (s3api list-buckets or s3 ls with no further arguments in the CLI) works differently when being run against different regions. All bucket creations are mastered in us-east-1, then replicated on a global scale - the resulting difference is that there are no "replication" events to the us-east-1 region. The Date Createdfield displayed in the web console is according to the actual creation date registered in us-east-1, while the AWS CLI and SDKs will display the creation date depending on the specified region (or the default region set in your configuration).
When using an endpoint other than us-east-1, the CreationDate you receive is actually the last modified time according to the bucket's last replication time in this region. This date can change when making changes to your bucket, such as editing its bucket policy.

The S3 global namespace is confined to the AWS partitions. This is also due to the fact that each partition has its own designated master region. Mark Sayson confirmed in his blog post his findings.

  • “us-east-1” for the Classic “aws” partition
  • “cn-north-1” for the AWS China “aws-cn” partition
  • “us-gov-west-1” for the AWS GovCloud “aws-us-gov” partition

Now this is what we call fun of working on AWS resource inventory service and discovering interesting tidbits.

Nishant Thorat

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.
FEATURED BLOGS

Discover Our Featured Blogs

Stay up to date with our informative blog posts.

AWS IAM

[Part 1] The Least Privilege Principle and IAM in AWS

The principle of least privilege (PoLP) is easier to understand until you put it into practice. In this series, we will discuss PoLP, how to set up accounts and guardrails, what tools to use, what process to follow, what technical and managerial challenges you may encounter, how to tackle them, and so on.
Nishant Thorat
April 16, 2024
5 min read
User Access Management

Streamlining AWS Access for Growing Startups

As your startup scales on AWS, managing access control becomes crucial. This blog post provides a roadmap for securing your cloud environment. You'll learn about the limitations of basic IAM users, the benefits of centralized identity management, and the capabilities of AWS IAM Identity Center with Just-In-Time access. By the end, you'll have a clear strategy to secure your AWS environment while maintaining agility.
Nishant Thorat
April 15, 2024
5 min read
AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read