Unable to find the path of a deleted file in Cloudtrail S3 data event logs

0

For audit purposes, I need to log all events (put and delete) for all files in a specific S3 bucket. I programmed a CloudTrail to store all data events for S3 buckets. Afterwards, I filter these log files for the entries of interest. For upload (put) actions, I have an ARN in the 'resources' field of the logs that describes the path of the uploaded file. For deletion actions, I only find an ARN of the bucket itself, not of the deleted files. Is there a way to retrieve this information from the logs?

  • please accept the answer if it was useful

2 Answers
1

You can use the Amazon S3 console to configure an AWS CloudTrail trail to log data events for objects in an S3 bucket. CloudTrail supports logging Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. These events are called data events.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html#enable-cloudtrail-events

Here’s an example of a DeleteObject event from CloudTrail logs:

{
    "eventVersion": "1.08",
    "userIdentity": {
        ...
    },
    "eventTime": "2024-06-12T14:58:59Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "DeleteObject",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "aws-sdk-java",
    "requestParameters": {
        "bucketName": "example-bucket",
        "key": "example-file.txt"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 0,
        "bytesTransferredOut": 0
    },
    "requestID": "C3D13FE58DE4C810",
    "eventID": "8f3b23bb-d466-4776-8880-cd34fa6c5e86",
    "readOnly": false,
    "resources": [
        {
            "type": "AWS::S3::Object",
            "ARN": "arn:aws:s3:::example-bucket/example-file.txt"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": false,
    "recipientAccountId": "123456789012"
}

profile picture
EXPERT
answered 4 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 4 months ago
  • Perhaps just to clarify a bit more, the path of the file in S3 is the key in the listing above.

       "requestParameters": {
            "bucketName": "example-bucket",
            "key": "example-file.txt"
        },
    

    In this case the path of the file is just example-file.txt in the root of the bucket but this could be folder/folder/example-file.txt

    Hope this helps!

0

You can find the entire event details by further expanding that data event. There are two ways of doing:

1: Go to Cloudtrail console - > Event History -> choose Lookup attribute as Event Name -> Event name as DeleteObject -> Now you need to find out, which event you exactly want information from

  1. There is another better way of doing this is setup athena table on top of S3 data where cloudtrail data events are being stored. For more details look at Querying cloudtrail logs. This provides more flexibility to search the specific data that you are looking for based on what you specify in filter condition in your query(where clause). Usually volume of data events use to be so high and it's not effective to find the data events over console. Querying the data events through athena is advisable.

Comment here if you have additional questions. Happy to help.

profile pictureAWS
EXPERT
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions