Object-level logging should be enabled for S3 bucket write events

Docs > Plateforme de sécurité Datadog > OOTB Rules > Object-level logging should be enabled for S3 bucket write events

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

S3 object-level API write event operations, such as GetObject, DeleteObject, and PutObject, are considered data events and are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to capture these events for better compliance, security analysis, and monitoring of user activity patterns within your AWS account.

Remediation

To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.

Advanced Field Selectors:

```
{
    "field": "eventCategory",
    "equals": ["Data"]
},
{
    "field": "resources.type",
    "equals": ["AWS::S3::Object"]
},
{
    "field": "readOnly",
    "equals": ["false"]
},
```

Basic Field Selectors: { "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "writeOnly" (or `all`) }

Additional fields such as eventType should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.