Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

RQL query for S3 Bucket activity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RQL query for S3 Bucket activity

L1 Bithead

Does anyone know how to write a query to look for S3 bucket activity i.e someone logging in to S3 buckets and performing some task as creating objects etc. 

 

 

sjk
1 accepted solution

Accepted Solutions

L0 Member

You will need to have cloudtrail - data events (s3) enabled for the logs to appear. 

View solution in original post

7 REPLIES 7

L0 Member

You will need to have cloudtrail - data events (s3) enabled for the logs to appear. 

Thanks, I do have cloud trail enabled. Just can't seem to find the right attribute to build the query. Here is my attempt. 

 

event where cloud.account IN ( 'SRA-B2B San Jose' ) AND operation IN ( 'GetBucketLogging' ) ADDCOLUMN $.requestParameters.bucketName

sjk

By default, cloudtrail records s3 bucket operations only.  You would need to enable object logging per bucket to capture detailed events.

 

Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html


@ebeuerlein wrote:

By default, cloudtrail records s3 bucket operations only.  You would need to enable object logging per bucket to capture detailed events.

 

Refer here for the various API calls that are enabled by default for cloudtrail: https://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html


Junaid,
Once you have enabled object logging for the bucket in the specific account, try the following RQL to see if you get the results. 

 

event where cloud.account = 'SRA-B2B San Jose' AND operation = 'GetBucketLogging' 

 

Thank You, 

 

I do have object level logging enabled on the S3's but still don't see the query executing anything. I get a blank page. 

 

 

event where cloud.account = 'SRA-B2B San Jose' AND cloud.service = 's3.amazonaws.com' AND operation = 'GetBucketLogging'

sjk

It depends on when you made the change - you may need to widen the time range to capture the exact event of when it was changed.

Junaid,

Please try this RQL to get information on specific actions on S3 buckets:

 

event where cloud.account = 'SRA-B2B San Jose' AND operation IN ('DeleteBucket', 'PutBucketAcl', 'PutBucketLogging', 'PutBucketPolicy')

You can add more options from the drop down options.

  • 1 accepted solution
  • 12119 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!