Description:
S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
Rationale:
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.
From Console:
https://console.aws.amazon.com/s3/
buckets
and then click on the S3 Bucket Name that you want to examine.Properties
tab to see in detail bucket configuration.Object-level
logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/
Write
event checkbox, so that object-level
logging for Write events is enabled.From Command Line:
object-level
data events logging for S3 buckets within your AWS account, run put-event-selectors
command using the name of the trail that you want to reconfigure as identifier:aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
object-level
event trail configuration.["arn:aws:s3"]
in command given above.object-level
logging of write events.--region
command parameter and perform the process for other regions.