Get object detail on cloudtrail log for S3

0

I have created a cloudtrail with cloudwatch log for S3 and can get all logs for the PutObject and DeleteObject events. When it generates the PutObject event, it shows with object (file name) detail, but not for the DeleteObject event. Is there anything I missed about the configuration? Thank you

2回答
0
承認された回答

Am I correct that you followed the procedure in this document?
I believe you can also check the DeleteObjects record if you set this up.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-examples
I have masked some account IDs, etc., but the following DeleteObjects event is recorded in CloudWatch Logs in my environment.
However, object details are not displayed.
If you want to check the details of an object, it is better to set up an access log with an S3 bucket.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxxxxxxxxxxxxx",
        "arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/xxxxxxxxxx",
        "accountId": "xxxxxxxxxxx",
        "accessKeyId": "xxxxxxxxxxxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxxxxxxxxxxx",
                "arn": "arn:aws:iam::xxxxxxxxxxxxx:role/xxxxxxxxxxxxxx",
                "accountId": "xxxxxxxxxxxxxx",
                "userName": "xxxxxxxxxxxxxx"
            },
            "attributes": {
                "creationDate": "2023-07-10T00:41:25Z",
                "mfaAuthenticated": "true"
            }
        }
    },
    "eventTime": "2023-07-10T00:56:26Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "DeleteObjects",
    "awsRegion": "ap-northeast-1",
    "sourceIPAddress": "xxxxxxxxxxxxxx",
    "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.4.247-169.350.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]",
    "requestParameters": {
        "bucketName": "xxxxxxxxxxxxxxxx",
        "Host": "s3.ap-northeast-1.amazonaws.com",
        "delete": ""
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "xxxxxxxxxxxxxxxxxxxxxxx",
        "bytesTransferredOut": 0
    },
    "requestID": "xxxxxxxxxxxxxxx",
    "eventID": "xxxxxxxxxxxxxx",
    "readOnly": false,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARNPrefix": "arn:aws:s3:::xxxxxxxxxxxxxxx/"
        },
        {
            "accountId": "xxxxxxxxxxxxx",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws:s3:::xxxxxxxxxxxxxxxx"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "xxxxxxxxxxx",
    "vpcEndpointId": "xxxxxxxxxxxxx",
    "eventCategory": "Data",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "s3.ap-northeast-1.amazonaws.com"
    }
}
profile picture
エキスパート
回答済み 1年前
0

Thank you, i can get it by using access log

deni
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ