AWS S3 log for DeleteObject?

4
votes

How to use AWS services like CloudTrail or CloudWatch to check which user performed event DeleteObject?

I can use S3 Event to send a Delete event to SNS to notify an email address that a specific file has been deleted from the S3 bucket but the message does not contain the username that did it.

I can use CloudTrail to log all events related to an S3 bucket to another bucket, but I tested and it logs many details, and only event PutObject but not DeleteObject.

Is there any easy way to monitor an S3 bucket to find out which user deleted which file?

Upate 19 Aug

Following Walt's answer below, I was able to log the DeleteObject event. However, I can only get the file name (requestParameters.key ) for PutObject, but not for DeleteObjects.

| # | @timestamp | userIdentity.arn | eventName | requestParameters.key |
| - | ---------- | ---------------- | --------- | --------------------- |
| 1 | 2019-08-19T09:21:09.041-04:00 | arn:aws:iam::ID:user/me | DeleteObjects |
| 2 | 2019-08-19T09:18:35.704-04:00 | arn:aws:iam::ID:user/me | PutObject |test.txt |

It looks like other people have had the same issue and AWS is working on it: https://forums.aws.amazon.com/thread.jspa?messageID=799831

2
amazon-web-servicesamazon-s3amazon-cloudwatchamazon-cloudwatchlogsamazon-cloudtrail
Changes to S3 logging can take hours to propagate. How long did you wait after making the change. - WaltDe
If you need near real time notification, then you could use S3 event notifications for ObjectDelete (All), sent to Lambda or SNS. The event you receive will contain userIdentity/principalId. - jarmod
@WaltDe I waited for an hour. - Viet
The principalId in the case of an IAM user will be of the form AIDA.... and you can correlate that with the underlying IAM user. For example, this command will show you a given IAM user's UserId which is the principalId in the Lambda event: aws iam get-user --user-name mary. - jarmod
@viet I posted an answer on how I have my CloudTrail S3 event logging setup. I send my events to CloudWatch Logs because with Logs Insights it is now super easy to search your logs. Sending them to S3 is also a good security practice for long term storage. - WaltDe

2 Answers

3
votes

Here is my setup.

Detail instructions on setting up CloudTrail in the console. When setting up the CloudTrail double check these 2 options.

That your are logging S3 writes. You can do this for all S3 buckets or just the one you are interested. You also don't need to enable read logging to answer this question. enter image description here

And you are sending events to CloudWatch Logs enter image description here

If you made changes to the S3 write logging you might have to wait a little while. If you haven't had breakfast, lunch, snack, or dinner now would be a good time.

If you're using the same default CloudWatch log group as I have above this link to CloudWatch Insight Logs search should work for you.

This is a query that will show you all S3 DeleteObject calls. If the link doesn't work

  1. Got to CloudWatch Console.
  2. Select Logs->Insights on the left hand side.
  3. Enter value for "Select log group(s)" that you specific above.
  4. Enter this in the query field.
fields @timestamp, userIdentity.arn, eventName, requestParameters.bucketName, requestParameters.key
| filter eventSource == "s3.amazonaws.com"
| filter eventName == "DeleteObject"
| sort @timestamp desc
| limit 20

If you have any CloudTrail S3 Delete Object calls in the last 30 min the last 20 events will be shown.

1
votes

As of 2021/04/12, CloudTrail does not record object key(s) or path for DeleteObjects calls.

If you delete an object with S3 console, it always calls DeleteObjects.

If you want to access object keys for deletion you will need to delete individual files with DeleteObject (minus s). This can be done with AWS CLI (aws s3 rm s3://some-bucket/single-filename) or direct API calls.