Data Events for S3 Buckets – Logging and Monitoring – SCS-C02 Study Guide

Data Events for S3 Buckets

When you created your new trail, you enabled the data events for S3 objects. These logs closely resemble the S3 access logs but are stored in the CloudTrail logging system rather than a specified S3 bucket (in the case of S3 access logs). One of the most obvious reasons to do this would be having a multi-account setup with a specified logging account where all the CloudTrail logs flow to a separate logging account that cannot be accessed by anyone but the audit or security team. This would then keep a record of any S3 object activity for each account where the data events have been enabled separately from the actual account in which the activity is happening.

It is often possible to view the properties of an S3 bucket and see that S3 access logging has been enabled. If someone has access to that bucket, they might have permission to turn off that logging and delete those logs. In the case of data events for S3, as the events are being recorded, this only appears in the settings of the CloudTrail service itself and not in the bucket settings. If you have placed the correct amount of access control on the CloudTrail service via an organizational/account service control policy, finely scoped permissions for roles, or both, then you have a better protective barrier on your log generation service.

With your new trail created, you need to perform some activity in your account and/or your S3 buckets so that the trail can record your actions. Go ahead and browse through your AWS Management Console so that some management events are recorded. The following section will show you how to search through these events.

Querying the Event History in CloudTrail

In the AWS Console, you have the ability to search through events that have occurred in the past 90 days. If you need to search for a period prior to this, then you would have to either import your logs into a third-party tool, extract compressed logs to an S3 bucket and attach Amazon Athena, or download the logs to a local system to create your own search index.

The following steps will show you how you can use the CloudTrail service to perform a few simple queries and see what you can discover:

  1. First, log directly in to the CloudTrail service using the following URL: https://packt.link/eq3Yi.
  2. Once on the CloudTrail service, from the left-hand menu, click on Event history.

Figure 7.14: CloudTrail service menu

You will be brought to the main event history page. This should be all the API calls performed for the Region that you are currently in.

  • Next, turn your attention to where the page says Lookup attributes. Filter by Event source.

Figure 7.15: Event source selection for a CloudTrail query

  • Next to the search box where you can enter the event source, enter s3.amazon.aws.

Figure 7.16: Event source selection for a CloudTrail query

You should now have a filtered list of only S3 events on the page in front of you.

If you click on the X by s3.amazon.aws.com, you can test different event sources.

Having learned how to look up and query events in CloudTrail, the next step is to explore how CloudTrail can be expanded with CloudTrail Lake.