Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Get object detail on cloudtrail log for S3

0

I have created a cloudtrail with cloudwatch log for S3 and can get all logs for the PutObject and DeleteObject events. When it generates the PutObject event, it shows with object (file name) detail, but not for the DeleteObject event. Is there anything I missed about the configuration? Thank you

Argomenti
ArchiviazioneGestione e amministrazione
Tag
Servizio di archiviazione semplice di AmazonAmazon CloudWatchAWS CloudTrail
Lingua
English
deni
posta 10 mesi fa563 visualizzazioni
2 Risposte
0
Risposta accettata

Am I correct that you followed the procedure in this document?
I believe you can also check the DeleteObjects record if you set this up.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-examples
I have masked some account IDs, etc., but the following DeleteObjects event is recorded in CloudWatch Logs in my environment.
However, object details are not displayed.
If you want to check the details of an object, it is better to set up an access log with an S3 bucket.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxx",
        "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/xxxxxxxxxx",
        "accountId": "xxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxx:role/xxxxxxxxxxxxxx",
                "accountId": "xxxxxxxxxxxxxx",
                "userName": "xxxxxxxxxxxxxx"
            },
            "attributes": {
                "creationDate": "2023-07-10T00:41:25Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-07-10T00:56:26Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "DeleteObjects",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "xxxxxxxxxxxxxx",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.4.247-169.350.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "xxxxxxxxxxxxxxxx",
        "Host": "s3.ap-northeast-1.amazonaws.com",
        "delete": ""
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxx",
        "bytesTransferredOut": 0
    },
    "requestID": "xxxxxxxxxxxxxxx",
    "eventID": "xxxxxxxxxxxxxx",
    "readOnly": false,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "arn:aws:s3:::xxxxxxxxxxxxxxx/"
        },
        {
            "accountId": "xxxxxxxxxxxxx",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::xxxxxxxxxxxxxxxx"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "xxxxxxxxxxx",
    "vpcEndpointId": "xxxxxxxxxxxxx",
    "eventCategory": "Data",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.ap-northeast-1.amazonaws.com"
    }
}
profile picture
ESPERTO
Riku_Kobayashi
con risposta 10 mesi fa
0

Thank you, i can get it by using access log

deni
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente