Search code examples
amazon-web-servicesamazon-s3amazon-cloudwatchamazon-cloudwatchlogsamazon-cloudtrail

AWS S3 log for DeleteObject?

How to use AWS services like CloudTrail or CloudWatch to check which user performed event DeleteObject?

I can use S3 Event to send a Delete event to SNS to notify an email address that a specific file has been deleted from the S3 bucket but the message does not contain the username that did it.

I can use CloudTrail to log all events related to an S3 bucket to another bucket, but I tested and it logs many details, and only event PutObject but not DeleteObject.

Is there any easy way to monitor an S3 bucket to find out which user deleted which file?

Upate 19 Aug

Following Walt's answer below, I was able to log the DeleteObject event. However, I can only get the file name (requestParameters.key ) for PutObject, but not for DeleteObjects.

| # | @timestamp | userIdentity.arn | eventName | requestParameters.key |
| - | ---------- | ---------------- | --------- | --------------------- |
| 1 | 2019-08-19T09:21:09.041-04:00 | arn:aws:iam::ID:user/me | DeleteObjects |
| 2 | 2019-08-19T09:18:35.704-04:00 | arn:aws:iam::ID:user/me | PutObject |test.txt |

It looks like other people have had the same issue and AWS is working on it: https://forums.aws.amazon.com/thread.jspa?messageID=799831

Solution

  • Here is my setup.

    Detail instructions on setting up CloudTrail in the console. When setting up the CloudTrail double check these 2 options.

    That your are logging S3 writes. You can do this for all S3 buckets or just the one you are interested. You also don't need to enable read logging to answer this question. enter image description here

    And you are sending events to CloudWatch Logs enter image description here

    If you made changes to the S3 write logging you might have to wait a little while. If you haven't had breakfast, lunch, snack, or dinner now would be a good time.

    If you're using the same default CloudWatch log group as I have above this link to CloudWatch Insight Logs search should work for you.

    This is a query that will show you all S3 DeleteObject calls. If the link doesn't work

    1. Got to CloudWatch Console.
    2. Select Logs->Insights on the left hand side.
    3. Enter value for "Select log group(s)" that you specific above.
    4. Enter this in the query field.
    fields @timestamp, userIdentity.arn, eventName, requestParameters.bucketName, requestParameters.key
| filter eventSource == "s3.amazonaws.com"
| filter eventName == "DeleteObject"
| sort @timestamp desc
| limit 20

    If you have any CloudTrail S3 Delete Object calls in the last 30 min the last 20 events will be shown.