RQL query for S3 Bucket activity

Reply
L1 Bithead

RQL query for S3 Bucket activity

Does anyone know how to write a query to look for S3 bucket activity i.e someone logging in to S3 buckets and performing some task as creating objects etc. 

 

 

sjk
L0 Member

Re: RQL query for S3 Bucket activity

You will need to have cloudtrail - data events (s3) enabled for the logs to appear. 

Highlighted
L1 Bithead

Re: RQL query for S3 Bucket activity

Thanks, I do have cloud trail enabled. Just can't seem to find the right attribute to build the query. Here is my attempt. 

 

event where cloud.account IN ( 'SRA-B2B San Jose' ) AND operation IN ( 'GetBucketLogging' ) ADDCOLUMN $.requestParameters.bucketName

sjk
L2 Linker

Re: RQL query for S3 Bucket activity

By default, cloudtrail records s3 bucket operations only.  You would need to enable object logging per bucket to capture detailed events.

 

Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html

L2 Linker

Re: RQL query for S3 Bucket activity


@ebeuerlein wrote:

By default, cloudtrail records s3 bucket operations only.  You would need to enable object logging per bucket to capture detailed events.

 

Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html


Junaid,
Once you have enabled object logging for the bucket in the specific account, try the following RQL to see if you get the results. 

 

event where cloud.account = 'SRA-B2B San Jose' AND operation = 'GetBucketLogging' 

 

L1 Bithead

Re: RQL query for S3 Bucket activity

Thank You, 

 

I do have object level logging enabled on the S3's but still don't see the query executing anything. I get a blank page. 

 

 

event where cloud.account = 'SRA-B2B San Jose' AND cloud.service = 's3.amazonaws.com' AND operation = 'GetBucketLogging'

sjk
L2 Linker

Re: RQL query for S3 Bucket activity

It depends on when you made the change - you may need to widen the time range to capture the exact event of when it was changed.

L2 Linker

Re: RQL query for S3 Bucket activity

Junaid,

Please try this RQL to get information on specific actions on S3 buckets:

 

event where cloud.account = 'SRA-B2B San Jose' AND operation IN ('DeleteBucket', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')

You can add more options from the drop down options.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!