S3 DeleteObjects Activity: Why Is Only the Bucket ARN Logged in CloudTrail, Without Details on Deleted Objects?

0

I deleted multiple objects from the bucket, but the JSON response logged in CloudTrail only contains the bucket ARN and does not include any information about the deleted objects

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROAZQ3DPUOXBBIFOXUYC:nikhila@oleria.com", "arn": "arn:aws:sts::654654284718:assumed-role/AWSReservedSSO_OktausersAdministratoraccess_13105579c2cbec12/nikhila@oleria.com", "accountId": "654654284718", "accessKeyId": "ASIAZQ3DPUOXNAH3OO56", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAZQ3DPUOXBBIFOXUYC", "arn": "arn:aws:iam::654654284718:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_OktausersAdministratoraccess_13105579c2cbec12", "accountId": "654654284718", "userName": "AWSReservedSSO_OktausersAdministratoraccess_13105579c2cbec12" }, "attributes": { "creationDate": "2024-08-07T08:58:39Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-08-07T10:15:22Z", "eventSource": "s3.amazonaws.com", "eventName": "DeleteObjects", "awsRegion": "us-east-2", "sourceIPAddress": "125.23.34.124", "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.220-188.869.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]", "requestParameters": { "bucketName": "aws-oleria-test-bucket", "Host": "s3.us-east-2.amazonaws.com", "delete": "" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "TLS_AES_128_GCM_SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "IqvyYEKPoAH4xbNVXV48YM4mVMCUnGd/nT5VIuN8ARd+RwYTJo6JzoudlLB89VmG+1WhQn6Nsmk=", "bytesTransferredOut": 0 }, "requestID": "CT0Y6RNKM52WXW0A", "eventID": "8d6313d9-9e61-4c77-acd3-fe61d0a7776b", "readOnly": false, "resources": [ { "type": "AWS::S3::Object", "ARNPrefix": "arn:aws:s3:::aws-oleria-test-bucket/" }, { "accountId": "654654284718", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::aws-oleria-test-bucket" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "654654284718", "vpcEndpointId": "vpce-eca44785", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "s3.us-east-2.amazonaws.com" } },

Nikhila
asked 2 months ago87 views
3 Answers
1

Hi,

Did you properly activate so-called data events in your CloudTrail setup ? By default, they are not activated

See https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events for all details.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • I’ve already activated data events for CloudTrail, but I’m not seeing the deleted objects data in the logs.

1

It's explained in documentation that the coverage of CloudTrail data event logging is somewhat different from S3 server access logging. The comparison table in this documentation article explicitly states that "Logging of keys in a batch delete operation" is covered by S3 server access logging but not by CloudTrail data event logs: https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

If you have S3 server access logs enabled for your bucket, you'll find one REST.POST.MULTI_OBJECT_DELETE operation there for the DeleteObjects API call, and for each individual object deleted as a consequence, there'll be a separate BATCH.DELETE.OBJECT log entry including the key of the specific object that was deleted.

EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

The DeleteObjects API call can delete multiple objects in a single request. The CloudTrail log captures the fact that the operation occurred but does not include a detailed list of all objects deleted. The actual list of objects deleted might be in the request payload, which CloudTrail does not log by default.

CloudTrail events are limited in size, and including the entire list of objects (especially in a bulk delete operation) could exceed those limits. Therefore, AWS often omits this detailed information from the CloudTrail logs. The logs are more focused on recording the API call, the user who made the call, and the bucket affected rather than the specific contents of the request.

Looking at the docs for object level logging in CloudTrail, object level logging does support what you're asking for. However it's good to note that if you have not enabled that object level logging prior to the event, it will not populate it afterwards. Only when the request is done.

So review your logging configuration, and go through the bucket where you log data events.

xanthic
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions