Afternoon all, I received an email saying I had connections with a few S3 buckets so I know the 3 however I can't understand how to get more data. The 3 buckets all have logging on so I have an s3 bucket with the logs, but the 2 ways they say are;
-
Log Insights. - For this it appears I need to have the actual logs goto cloudwatch logs as I don't see a way of selecting the S3 admin that has the logs.
-
CloudTrail / Lake. This looks even easier, the doc here - https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/ I thought was the answer, but I am stuck and it maybe just the data store part. There is just that 1 line, create a data store, but I did create one, I believe the 'events' should be cloudtrail and not configuration items. Then for data events I have tried S3, s3 access points (as I am sure its one of those) and when I copy the sample query for TLS calls I get an invalid query. I even tried other sample ones and all do the same thing, immediate red x.
The sample query is here;
SELECT eventSource, COUNT(*) AS numOutdatedTlsCalls FROM $EDS_ID WHERE tlsDetails.tlsVersion IN ('TLSv1', 'TLSv1.1') AND eventTime > '2023-01-17 00:00:00' GROUP BY eventSource ORDER BY numOutdatedTlsCalls DESC
So any help on the best way to get that info is appreciated.
:facepalm: - I was clearly overlooking that one! I thought that was more an environment variable as the left side has the event data store drop down, but now realize what/why!
I appreciate the read and such a quick reply, saved me a lot of time on this one!
You're welcome!