09-26-2019 07:26 AM - last edited on 09-02-2020 10:21 AM by kwadsack
Does anyone know how to write a query to look for S3 bucket activity i.e someone logging in to S3 buckets and performing some task as creating objects etc.
09-26-2019 09:32 AM
You will need to have cloudtrail - data events (s3) enabled for the logs to appear.
09-26-2019 09:32 AM
You will need to have cloudtrail - data events (s3) enabled for the logs to appear.
09-26-2019 10:06 AM
Thanks, I do have cloud trail enabled. Just can't seem to find the right attribute to build the query. Here is my attempt.
event where cloud.account IN ( 'SRA-B2B San Jose' ) AND operation IN ( 'GetBucketLogging' ) ADDCOLUMN $.requestParameters.bucketName
09-26-2019 10:58 AM
By default, cloudtrail records s3 bucket operations only. You would need to enable object logging per bucket to capture detailed events.
Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
09-26-2019 11:23 AM
@ebeuerlein wrote:
By default, cloudtrail records s3 bucket operations only. You would need to enable object logging per bucket to capture detailed events.
Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html
Junaid,
Once you have enabled object logging for the bucket in the specific account, try the following RQL to see if you get the results.
event where cloud.account = 'SRA-B2B San Jose' AND operation = 'GetBucketLogging'
09-26-2019 02:43 PM
Thank You,
I do have object level logging enabled on the S3's but still don't see the query executing anything. I get a blank page.
event where cloud.account = 'SRA-B2B San Jose' AND cloud.service = 's3.amazonaws.com' AND operation = 'GetBucketLogging'
09-27-2019 07:22 AM
It depends on when you made the change - you may need to widen the time range to capture the exact event of when it was changed.
10-09-2019 10:51 AM
Junaid,
Please try this RQL to get information on specific actions on S3 buckets:
event where cloud.account = 'SRA-B2B San Jose' AND operation IN ('DeleteBucket', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')
You can add more options from the drop down options.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
