So I am trying to write AWS Cloudwatch queries to show information of only when sensitive actions occur in a S3 bucket. Therefore I want to filter on the event name. Do you know where I can get the FULL list of all the event names on S3 such as PUTOBJECT and etc. This is so I can select what to filter on
Thank you
You can check S3 API reference for that.
But for some events, such as PutObject, you will need to create CloudTrial trial and log data level operations.
Related
Scenario:
My client have 80+ S3 Buckets and 1000+ applications is running in their AWS account. I want to get the list of IAM users/roles who are accessing the objects in all the S3 Buckets.
Method 1: Initially I tried to fetch it from CloudTrail Event History, but no luck.
From the above image, you can see CloudTrail is failing to log the object level logging.
Method 2: I created a CloudTrail Trails to log the activities. But it captures all management level activities happening through out the account which makes me hard to find the S3 logs alone(I already mentioned that there is 80+ Buckets & 1000+ applications in the account).
Method 3: S3 Server Access Log: If I enable this option, it creates log entry for every action happening to the objects. (that is: When I attempt to read a log file, it creates an another log. It keeps on doubling the count of logs)
If anyone have a solution to find the list of IAM users/roles who are accessing the S3 bucket objects and in an effective way, please help me.
Thanks in advance.
For each bucket, configure object-level logging.
Once that is complete, you can use the CloudTrail API to filter events and extract IAM identities making the requests.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::S3::Object --query Events[*].Username
I have a usecase where I want to put data into an S3 bucket, for it to read later, by another account. I only want the other account to be able to read the file in S3, and once they have read it, I will then delete the file myself.
I have been reading the S3 documentation, and cannot see they cover this usecase: of sending a notification when a file in an S3 bucket is read ?
Can anyone help, or suggest an alternative workflow ? I have been looking at AWS SNS and was wondering if that would be a better solution ?
You could use CloudTrail and CloudWatch Events to enable this workflow.
By default S3 API calls are not logged so you'd want to enable that following the instructions here.
Then enable a CloudWatch event rule for the Simple Storage Service where the "GetObject" operation occurs.
Have this event invoke a Lambda function that will remove the object.
More information available here.
I'm working in an environment where anyone with the necessary access is allowed to create an S3 bucket; however, it's getting to a point where we have a lot of buckets and it is hard to keep track of who created the bucket. I know it is possible to tag the buckets with the owner name, but I am looking for a more automated solution.
Is it possible to invoke a lambda function every time a bucket is created? Or is it possible to track bucket creation with cloudtrail where system administrators would get an sns notification when an s3 bucket is created?
I know it is possible to configure s3 event notification inside a bucket to trigger lambda functions/cloudwatch metrics, but I need a trigger for the entire s3 application.
Cloudtrail tracks all API Actions occurring within an account. What you want to do is create a cloudwatch event rule that triggers off the CreateBucket action then have it invoke Lambda or trigger a sns notification.
See: Creating a CloudWatch Events Rule That Triggers on an AWS API Call Using AWS CloudTrail
You can use EventBridge to get at these events, via CloudTrail. The example on here is of a CreateBucket request.
how is the best solution to create a alert with athena data?
the loadbalance logs is saved in S3 and acessed with Athena.
I want alert me based on a athena query. I thinking about populate Cloudwatch metrics with athena result, and create a alert in cloudwatch. Can I create a metric direct with athena result?
I can resolve with lambda, but I'm search a better solution.
Your question is a little bit ambiguous.
Do you want to create an alert when Athena writes to an S3 bucket?
You can achieve this through SNS and the S3 bucket config. Check this tutorial:
Example Walkthrough 1: Configure a Bucket for Notifications (Message Destination: SNS Topic and SQS Queue)
Then you can launch a different AWS service (like a Lambda function) through SNS to react to this event.
Keep in mind that you will have to wait for Athena to finish the query as it will run asynchronously. Here an example in Java to achieve this:
Athena Query execution Handling
In AWS it is indicated that there is support to use Cloudtrail to track events in DynamoDB in the link here.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html
However, in the instructions, there is no option to pick DynamoDB anywhere (only S3 and Lambda options are available) so I am looking for any instructions anywhere on how to track DynamoDb events. Specifically I want to know when a table has been deleted.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html
Has anyone had any luck? Thanks!
The AWS Console displays only S3 and Lambda, since at the moment only those two services are supported for logging data events. E.g. PutObject etc.
DeleteTable is a management event, and is listed in the documentation you posted. If you configure your Trail to log all management events, all AWS services you use, including DynamoDB, will be logging these management events.
Just create a new trail, and include all management events. Then in your Trail's event history you will find the events like below.