Blog
AWS Cloud

AWS S3 Bucket Creation Date Discrepancy in master and other regions

Nishant Thorat
February 11, 2024
5 min read
A

WS S3 buckets are among the most commonly used AWS resource. At the same time, S3 buckets are most prone to misconfigurations. All major famous leaks generally have happened with S3 bucket misconfigurations. For this reason, the cloud teams continuously keep track of S3 bucket configurations.

The AWS resource inventory is common way of keeping track of the AWS resources. The OSS projects such as CloudQuery, Steampipe and Scout Suite are used by many cloud teams for this purpose.

The AWS resources are either global or region-wise. Services such as IAM are completely global, while resources such as EC2 are regional. The S3 bucket is one weird creature with a global namespace, even spanning beyond the usual AWS account bubble. At the same time, S3 buckets are associated with regions. S3 buckets are created in a region. This is typically done to reduce latency, minimize costs, or address regulatory requirements.

We collect the AWS resources information with AWS service APIs such as Describe/Get/List. S3 buckets are listed with list-buckets API. Since S3 buckets are regional specific we would call this API region-wise. And this is when we noticed one interesting discrepancy in S3 bucket creation time information.

S3 Bucket CreationDate discrepancy
S3 Bucket CreationDate discrepancy

The same bucket amplify-testfigma-staging-164952-deployment shows a different creation time.

More digging into the issue took us to the AWS documentation for this API.

CreationDate -> (timestamp)
Date the bucket was created. This date can change when making changes to your bucket, such as editing its bucket policy.

After some more digging, we stumbled upon the AWS CLI issue reported in github and Mark Sayson’s blog post. An AWS support engineer wrote:

This is expected behavior due to the design of the service. The GET Service call in S3 (s3api list-buckets or s3 ls with no further arguments in the CLI) works differently when being run against different regions. All bucket creations are mastered in us-east-1, then replicated on a global scale - the resulting difference is that there are no "replication" events to the us-east-1 region. The Date Createdfield displayed in the web console is according to the actual creation date registered in us-east-1, while the AWS CLI and SDKs will display the creation date depending on the specified region (or the default region set in your configuration).
When using an endpoint other than us-east-1, the CreationDate you receive is actually the last modified time according to the bucket's last replication time in this region. This date can change when making changes to your bucket, such as editing its bucket policy.

The S3 global namespace is confined to the AWS partitions. This is also due to the fact that each partition has its own designated master region. Mark Sayson confirmed in his blog post his findings.

  • “us-east-1” for the Classic “aws” partition
  • “cn-north-1” for the AWS China “aws-cn” partition
  • “us-gov-west-1” for the AWS GovCloud “aws-us-gov” partition

Now this is what we call fun of working on AWS resource inventory service and discovering interesting tidbits.

Nishant Thorat

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.
FEATURED BLOGS

Discover Our Featured Blogs

Stay up to date with our informative blog posts.

AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read
AWS IAM

10 Steps to Improve Your AWS IAM Hygiene and Keep Your Cloud Secure

Improving your AWS IAM hygiene is critical in protecting your cloud resources and data. By following these 10 steps, you can establish a robust security framework that protects your business from cyber threats. From reviewing your IAM policies to enabling MFA and monitoring your IAM activity, each step is designed to help you maintain the security and integrity of your AWS account.
Nishant Thorat
February 11, 2024
5 min read
AWS Cloud

AWS Config: Know before you take a plunge!

Nishant Thorat
February 10, 2024
5 min read