Get object detail on cloudtrail log for S3

0

I have created a cloudtrail with cloudwatch log for S3 and can get all logs for the PutObject and DeleteObject events. When it generates the PutObject event, it shows with object (file name) detail, but not for the DeleteObject event. Is there anything I missed about the configuration? Thank you

2 Risposte
0
Risposta accettata

Am I correct that you followed the procedure in this document?
I believe you can also check the DeleteObjects record if you set this up.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-examples
I have masked some account IDs, etc., but the following DeleteObjects event is recorded in CloudWatch Logs in my environment.
However, object details are not displayed.
If you want to check the details of an object, it is better to set up an access log with an S3 bucket.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxx",
        "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/xxxxxxxxxx",
        "accountId": "xxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxx:role/xxxxxxxxxxxxxx",
                "accountId": "xxxxxxxxxxxxxx",
                "userName": "xxxxxxxxxxxxxx"
            },
            "attributes": {
                "creationDate": "2023-07-10T00:41:25Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-07-10T00:56:26Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "DeleteObjects",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "xxxxxxxxxxxxxx",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.4.247-169.350.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "xxxxxxxxxxxxxxxx",
        "Host": "s3.ap-northeast-1.amazonaws.com",
        "delete": ""
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxx",
        "bytesTransferredOut": 0
    },
    "requestID": "xxxxxxxxxxxxxxx",
    "eventID": "xxxxxxxxxxxxxx",
    "readOnly": false,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "arn:aws:s3:::xxxxxxxxxxxxxxx/"
        },
        {
            "accountId": "xxxxxxxxxxxxx",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::xxxxxxxxxxxxxxxx"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "xxxxxxxxxxx",
    "vpcEndpointId": "xxxxxxxxxxxxx",
    "eventCategory": "Data",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.ap-northeast-1.amazonaws.com"
    }
}
profile picture
ESPERTO
con risposta un anno fa
0

Thank you, i can get it by using access log

deni
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande