Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Enable object logging on s3 bucket via cloudformation

Tags:

amazon-web-services

amazon-s3

amazon-cloudformation

amazon-cloudtrail

In AWS S3, you have the ability to visit the console and add 'Object-level logging' to a bucket. You create or select a pre-existing trail and select read and write log types.

Now I am creating buckets via Yaml CloudFormation and want to add a pre-existing trail (or create a new one) to these too. How do I do that? I can't find any examples.

like image 959
Paul Avatar asked Oct 06 '19 12:10

Paul

People also ask

How do I enable CloudWatch logs on S3 bucket?

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Logs. Select the name of the log group for your Lambda function (/aws/lambda/function-name). Select the name of log stream to view the data provided by the function for the instance that you launched.

Which tool checks that your logging is enabled for Amazon S3 buckets?

To configure a trail to log data events for an S3 bucket, you can use either the AWS CloudTrail console or the Amazon S3 console. If you are configuring a trail to log data events for all the Amazon S3 buckets in your AWS account, it's easier to use the CloudTrail console.

What is the purpose of enabling logging in S3 buckets?

Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits.

1 Answers

Object logging for S3 buckets with CloudTrail is done by defining so called event selectors for data events in CloudTrail. That is available through CloudFormation as well. The following CloudFormation template shows how that's done. The important part is in the lower half (the upper half is just for setting up an S3 bucket CloudTrail can log to):

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  s3BucketForTrailData:
    Type: "AWS::S3::Bucket"
  trailBucketPolicy:
    Type: "AWS::S3::BucketPolicy"
    Properties:
      Bucket: !Ref s3BucketForTrailData
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service: "cloudtrail.amazonaws.com"
          Action: "s3:GetBucketAcl"
          Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}"
        - Effect: Allow
          Principal:
            Service: "cloudtrail.amazonaws.com"
          Action: "s3:PutObject"
          Resource: !Sub "arn:aws:s3:::${s3BucketForTrailData}/AWSLogs/${AWS::AccountId}/*"
          Condition:
            StringEquals:
              "s3:x-amz-acl": "bucket-owner-full-control"

  s3BucketToBeLogged:
    Type: "AWS::S3::Bucket"
  cloudTrailTrail:
    Type: "AWS::CloudTrail::Trail"
    DependsOn:
      - trailBucketPolicy
    Properties:
      IsLogging: true
      S3BucketName: !Ref s3BucketForTrailData
      EventSelectors:
        - DataResources:
            - Type: "AWS::S3::Object"
              Values:
                - "arn:aws:s3:::"  # log data events for all S3 buckets
                - !Sub "${s3BucketToBeLogged.Arn}/"  # log data events for the S3 bucket defined above
          IncludeManagementEvents: true
          ReadWriteType: All

For more details check out the CloudFormation documentation for CloudTrail event selectors.

like image 142
Dunedan Avatar answered Nov 15 '22 04:11

Dunedan
Sign in to Comment

Related questions

Is there a temporary folder that I can access while using AWS Glue?
AWS IAM Policy to Enforce Tagging
AWS CodeBuild - How to skip a build
AWS Lambda Error: Could not unzip uploaded file
Deploy StepFunctions with CloudFormation, from external definition file
AWS Lambda Polling from SQS: in-flight messages count
How to add a Fargate Service to Inbound Security Rules?
AWS CodePipeline, CodeDeploy, SAM and Lambda: how to (inter)connect those?
Aurora PostgreSQL engine: no space left on device
How to set AWS Appsync request timeout limit || AWSAppSync Client not giving callback
AWS Lambda: async C# handler
With AWS SageMaker, is it possible to deploy a pre-trained model using the sagemaker SDK?
Lambda authorizer response using async/await in Node.js
Using Encrypted EBS Volumes in Auto Scaling Groups with CMK owned by a different AWS account
What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
How to run Tabler in production
What does 'Box-Usage' mean in AWS? [closed]
AWS Lambda vs EC2: Which one to choose
How to use an S3 uri?
Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!