S3 Logs Details

Question

Is there a way to see what actions the 'G2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.

One point I’m still not able to figure out is that when I’m trying to find logs in Cloud trail using an AWS access key or username in both cases, I’m getting results as No matches. But throughout the day that user (G2) interacts with S3, based on the times it seems like it is a CRON running on some server. How to identify it?

I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information?

Is the CLI tool CloudTrail log will be helpful for my scenario?

I already tested these queries but was not able to get the output

fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
| filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "g2" and eventSource == "s3.amazonaws.com"
| sort @timestamp desc
| limit 100

fields @timestamp, @message
| filter userIdentity.userName == "g2"
| sort @timestamp desc
| limit 20

fields @timestamp, @message
| filter sourceIPAddress == "192.168.1.1"
| sort @timestamp desc
| limit 20
 

Does Athena query of CloudTrail Logs can be helpful? Can anyone help me with this?

Answer 1

Yes, you can use CloudTrail logs:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html

Answer 2

To track API requests, you can use AWS CloudTrail to capture requests, including the user and IP address.

See: Logging Amazon S3 API calls using AWS CloudTrail - Amazon Simple Storage Service.

To track web requests, you can activate Server Access Logging, which is effectively a log file like a web server produces. It will track the IP address, but it can only identify authenticated users.

See Logging requests using server access logging - Amazon Simple Storage Service.