Description:

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. 

Rationale:

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Impact:

Writes actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events will be done.

Default value:

CloudTrail trails don't log data events by default.

Pre-Requisite:

S3 bucket and cloud trail

Test Plan:

  1. Login to AWS Console and navigate to CloudTrails dashboard at https://console.aws.amazon.com/cloudtrail/  
  2. In the left panel, click on trails and then click on the CloudTrail Name that you want to examine. 

  3. Review General details.

  4. Confirm that Multi-region trail is set to Yes.

  5. Scroll down to Data events 
  6. Confirm that it reads: Data events: S3, Bucket Name: All current and future S3 buckets, Read: Enabled Write: Enabled

or

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

  2. Click on the bucket name you want to open.

  3. Click on 'Properties'. 

  4. Check Cloud trail data events if present.  



Using AWS CLI

Using cloud trail cli commands to check S3 bucket has cloud trail data events.

aws cloudtrail list-trails

aws cloudtrail get-event-selectors --region <Home region> --trail-name <trail name> --query EventSelectors[*].DataResources[]


Implementation Plan:

  • AWS Console Process

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ 

  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. 

  3. Click Properties tab and scroll down to CloudTrail data events section click on configure in cloud trail.  

  4. You will go to cloud trail console, and you can choose an existing CloudTrail.

  5. Once the CloudTrail is selected, check the Write event checkbox, so that object-level logging for Write events is enabled.


Using AWS CLI

aws cloudtrail put-event-selectors --region <region name> --trail-name <trail name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3 bucket name>/"] }] }]'

Backout Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Open the Trails page of the CloudTrail console.

  3. Choose the trail name.

  4. At the top of the trail details page, choose Delete. 


Using AWS CLI

aws cloudtrail delete-trail --name <Trail name>

Reference:

Amazon S3 CloudTrail events - Amazon Simple Storage Service