On the AWS console, is there any history of users actions? I would like to see which of ours users has last modified a property of a S3 bucket for example
For this you can do few things.
Setup AWS CloudTrail to audit user actions to AWS S3
Enable logging for the S3 bucket and store the logs either in a bucket in the same account of in a different account (Better if you need more security).
Enable versioning on S3 buckets, so past versions remains and allows to revert the changes.
The best way to collect all user actions in AWS is using CloudTrail. Using CloudTrail you can also create trails that includes S3 object-level operation events.
Related
In my company we have an AWS account and I have a bucket that holds personal information about workers of the company. As the names of the files sometimes disclose information about the workers, I don't want the files to be listable to anyone. The bucket policy I used blocks all access to the bucket to anyone but me but CloudTrail still logs the names of the files, in PutObject or GetObject events for example, and so anyone with CloudTrail access (which I don't control) may see the file names and who accesses them. Is there a way to deny CloudTrail from logging this bucket? I want to make sure it is not logging what happens to the files there and who accesses the bucket.
The events you mentioned like GetObject and PutObject are data events
From docs
CloudTrail supports logging Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. These events are called data events.
which means your organization has enabled Data events and since you dont control the cloudtrail, you cannot disable.
according to docs
To disable CloudTrail data events logging for objects in an S3 bucket
To disable object-level logging for the bucket, you must open the CloudTrail console and remove the bucket name from the trail's Data events.
Is it possible to write cloudtrail logs to an s3 bucket in another, third-party AWS account?
Want to configure CloudTrail to write the logs to an S3 bucket owned by another AWS account. Is this possible?
You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. For example, you have four AWS accounts with account IDs 111111111111, 222222222222, and 333333333333, and you want to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 111111111111. To accomplish this, complete the following steps in order:
Turn on CloudTrail in the account where the destination bucket will belong (111111111111 in this example). Do not turn on CloudTrail in any other accounts yet. For instructions, see Creating a trail.
Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail. For instructions, see Setting bucket policy for multiple accounts.
Turn on CloudTrail in the other accounts you want (222222222222, 33333333333 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (111111111111 in this example). For instructions, see Turning on CloudTrail in additional accounts.
Scenario:
My client have 80+ S3 Buckets and 1000+ applications is running in their AWS account. I want to get the list of IAM users/roles who are accessing the objects in all the S3 Buckets.
Method 1: Initially I tried to fetch it from CloudTrail Event History, but no luck.
From the above image, you can see CloudTrail is failing to log the object level logging.
Method 2: I created a CloudTrail Trails to log the activities. But it captures all management level activities happening through out the account which makes me hard to find the S3 logs alone(I already mentioned that there is 80+ Buckets & 1000+ applications in the account).
Method 3: S3 Server Access Log: If I enable this option, it creates log entry for every action happening to the objects. (that is: When I attempt to read a log file, it creates an another log. It keeps on doubling the count of logs)
If anyone have a solution to find the list of IAM users/roles who are accessing the S3 bucket objects and in an effective way, please help me.
Thanks in advance.
For each bucket, configure object-level logging.
Once that is complete, you can use the CloudTrail API to filter events and extract IAM identities making the requests.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::S3::Object --query Events[*].Username
Which is the best way to find out who deleted files in AWS S3 bucket?
I am working on AWS S3 Bucket. Going through the AWS docs and haven't found the best way to monitor S3 buckets so thought of checking if anyone can help me here.
For monitoring S3 object operations, such as DeleteObject, you have to enable CloudTrail with S3 data events:
How do I enable object-level logging for an S3 bucket with AWS CloudTrail data events?
Examples: Logging Data Events for Amazon S3 Objects
However, the trials don't work retrospectively. Thus, you have to check if you have such trial enabled in CloudTrail console. If not, then you can create one to monitor any future S3 object level activities for all, or selected, buckets.
To reduce the impact of accidental deletions you can enable object version. And to fully protect against that for important objects, you can use MFA delete.
You can check S3 access logs or CloudTrail to check who deleted files from your S3 bucket. More information here - https://aws.amazon.com/premiumsupport/knowledge-center/s3-audit-deleted-missing-objects/
What is the easiest way to get the user/role used to update/upload an object to S3?
I object is still in the bucket. Just want to know who did it.
tried CLI didn't find anything. CloudTrail could be an option as well I guess.
The easiest way would be to enable S3 server access logging:
AWS Console -> S3 -> Choose your bucket -> Properties -> Choose target bucket (where wou want your logs to be stored) -> Save
Each request is saved as one row in logs. It's not just for get requests, it's for all types of requests.
In logs, you would look for Requester:
The canonical user ID of the requester, or a - for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
You can see more details in official documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
From Logging Amazon S3 API Calls by Using AWS CloudTrail - Amazon Simple Storage Service:
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3. CloudTrail captures a subset of API calls for Amazon S3 as events, including calls from the Amazon S3 console and from code calls to the Amazon S3 APIs.