Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Logs for actions on amazon s3 / other AWS services

I am trying to see which user was responsible for changes in S3 (at buckets level). I could not find a audit trail for actions done at S3 bucket level or EC2 who created instances. Beanstalk has a log of the actions the machine performed, but not which user.

Is there a way around AWS that we can see this information in IAM or any other location ?

P.S: I am not interested to know about S3 log buckets which provide access logs

like image 225
Sairam Avatar asked Feb 07 '13 17:02

Sairam


People also ask

How do i Log my Amazon S3 resources?

To do this, you can use server access logging, AWS CloudTrail logging, or a combination of both. We recommend that you use AWS CloudTrail for logging bucket and object-level actions for your Amazon S3 resources.

Should I use AWS cloudtrail for S3 logs?

We recommend that you use AWS CloudTrail for logging bucket and object-level actions for your Amazon S3 resources. For more information about each option, see the following sections: The following table lists the key properties of AWS CloudTrail logs and Amazon S3 server access logs.

How do I record actions taken on Amazon S3 resources?

You can record the actions that are taken by users, roles, or AWS services on Amazon S3 resources and maintain log records for auditing and compliance purposes. To do this, you can use server access logging, AWS CloudTrail logging, or a combination of both.

Who gets the S3 bucket logs?

The S3 bucket owner receives CloudTrail logs only if the account also owns or has full access to the object in the request. For more information, see Object-level actions in cross-account scenarios. © 2021, Amazon Web Services, Inc. or its affiliates.


2 Answers

Update

AWS has just announced AWS CloudTrail, finally making auditing API calls available as of today (and for free), see the introductory post AWS CloudTrail - Capture AWS API Activity for details:

Do you have the need to track the API calls for one or more AWS accounts? If so, the new AWS CloudTrail service is for you.

Once enabled, AWS CloudTrail records the calls made to the AWS APIs using the AWS Management Console, the AWS Command Line Interface (CLI), your own applications, and third-party software and publishes the resulting log files to the Amazon S3 bucket of your choice. CloudTrail can also issue a notification to an Amazon SNS topic of your choice each time a file is published. Each call is logged in JSON format for easy parsing and processing.

Please note the following (temporary) constraints:

  • Not all services are covered yet, though the most important ones are included in the initial release already and AWS plans to add support for additional services over time.
    • Update: AWS has recently added Seven New Services, and another one today, see below.
  • More importantly, not all regions are supported yet (right now the US East (Northern Virginia), and US West (Oregon) Regions only), though AWS will be adding support for additional Regions as quickly as possible.
    • Update: AWS has just added More Locations and Services, quickly approaching coverage of their entire Global Infrastructure indeed.

Initial Answer

This is a long standing feature request, but unfortunately AWS does not provide (public) audit trails as of today - the most reasonable way to add this feature would probably be a respective extension to AWS Identity and Access Management (IAM), which is the increasingly ubiquitous authentication and authorization layer for access to AWS resources across all existing (and almost certainly future) Products & Services.

Accordingly there are a few respective answers provided within the IAM FAQs along these lines:

  • Will AWS Identity and Access Management administrative actions be logged to an audit trail?:
    No. This is planned for a future release.
  • Will user actions in AWS services be logged to an audit trail?
    No. This is planned for a future release.
like image 155
Steffen Opel Avatar answered Sep 19 '22 16:09

Steffen Opel


Current pricing for a single CloudTrail is free.

1. Enable CloudTrail

Use the CloudTrail dashboard and send all events to an S3 bucket, e.g. my-cloudtrail

2. Go Through the Results

The CloudTrail dashboard let's you do some cursory searches, but if you have many thousands of events, it's a pain to use.

Let's say I want actions for user foo_user, I just use the CLI tool:

mkdir -p /tmp/cloudtrail
cd /tmp/cloudtrail
aws s3 sync s3://mc10-cloudtrail .
cd AWSLogs
zcat `find . -type f` | jq '.Records[] | "\(.eventName) \(.userIdentity.userName)"' | grep food_user | sort | uniq

Example Output:

"CreateGrant foo_user"
"DescribeInstances foo_user"
"GetConsoleOutput foo_user"
"ModifyInstanceAttribute foo_user"
"StartInstances foo_user"
"StopInstances foo_user"

Note: S3 data events are billed differently in CloutTrail, but this is somewhat redundant, because you can just enable logging on your S3 bucket and grep those logs, or point them at Logstash/Kibana.

like image 41
Joseph Lust Avatar answered Sep 22 '22 16:09

Joseph Lust