Object-level logging should be enabled for S3 bucket read events

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don’t log data events and so it is recommended to enable Object-level logging for S3 buckets.

Rationale

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account, and take immediate actions on any object-level API activity within your S3 buckets using Amazon CloudWatch Events.

Remediation

From the console

  1. Login to the AWS Management Console and navigate to the S3 dashboard.
  2. In the left navigation panel, select buckets, and then select the S3 Bucket Name that you want to examine.
  3. Click the Properties tab to see the bucket configuration details.
  4. Click the Object-level logging setting, and enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console.
  5. Once the Cloudtrail is selected, select the Read event checkbox to enable object-level logging for Read events.
  6. Repeat steps 2 to 5 to enable object-level logging of read events for other S3 buckets.

From the commandline

  1. To enable object-level data events logging for S3 buckets within your AWS account, run the put-event-selectors command using the name of the trail that you want to reconfigure as the identifier:

    aws cloudtrail put-event-selectors \
       --region <insert-region-name> \
       --trail-name <insert-trail-name> \
       --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
    
  2. The command output will be the object-level event trail configuration.

  3. To enable it for all buckets at once, change the Values parameter to ["arn:aws:s3"].

  4. Repeat step 1 for each s3 bucket to update object-level logging of read events.

  5. Change the AWS region by updating the –region command parameter and perform the process for other regions.

References