Description:
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.
Rationale:
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
Impact:
Writes actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events will be done.
Default value:
CloudTrail trails don't log data events by default.
Pre-Requisite:
S3 bucket and cloud trail
Test Plan:
- Login to AWS Console and navigate to CloudTrails dashboard at https://console.aws.amazon.com/cloudtrail/
- In the left panel, click on trails and then click on the CloudTrail Name that you want to examine.
Review General details.
Confirm that Multi-region trail is set to Yes.
- Scroll down to Data events
- Confirm that it reads: Data events: S3, Bucket Name: All current and future S3 buckets, Read: Enabled Write: Enabled
or
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Click on the bucket name you want to open.
Click on 'Properties'.
Check Cloud trail data events if present.
Using AWS CLI
Using cloud trail cli commands to check S3 bucket has cloud trail data events.
aws cloudtrail list-trails
aws cloudtrail get-event-selectors --region <Home region> --trail-name <trail name> --query EventSelectors[*].DataResources[]
Implementation Plan:
AWS Console Process
Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/
In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
- Click Properties tab and scroll down to CloudTrail data events section click on configure in cloud trail.
You will go to cloud trail console, and you can choose an existing CloudTrail.
Once the CloudTrail is selected, check the Write event checkbox, so that object-level logging for Write events is enabled.
Using AWS CLI
aws cloudtrail put-event-selectors --region <region name> --trail-name <trail name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3 bucket name>/"] }] }]'
Backout Plan:
AWS Console Process
Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.
Open the Trails page of the CloudTrail console.
Choose the trail name.
At the top of the trail details page, choose Delete.
Using AWS CLI
aws cloudtrail delete-trail --name <Trail name>