S3 Logs event Issue

Question

Is there a way to see what actions the 'g2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.

One point I’m still not able to figure out is that when I’m trying to find logs in Cloud trail using an AWS access key or username in both cases, I’m getting results as No matches. But throughout the day that user (g2) interacts with S3, based on the times it seems like it is a CRON running on some server. How to identify it?

I did analyze CloudTrail event history and used CloudWatch Logs Insights to find out access Logging IP address for 90 days by using both “username” and “AWS Access Key” but it seems that it isn’t of much help for finding “g2” user data. “g2” IAM user does have Administrator Access. The user does not have console management access. I suspect it is just doing an 'ls' to check for the existence of some files. I think the same actions will be occurring each day for it

I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information?

I already tested these queries but was not able to get the output 

    fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
    | filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "g2" and eventSource == "s3.amazonaws.com"
    | sort @timestamp desc
    | limit 100

    fields @timestamp, @message
    | filter userIdentity.userName == "g2"
    | sort @timestamp desc
    | limit 20

    fields @timestamp, @message
    | filter sourceIPAddress == "192.168.1.1"
    | sort @timestamp desc
    | limit 20

Does Athena query of CloudTrail Logs can be helpful? Is the CLI tool CloudTrail log will be helpful for my scenario? Can anyone help me with this?

One technique that can help is to push CloudTrail logs into Cloudwatch Logs and use Cloudwatch Log Insights to search them. Finding individual log entries in CloudTrail logs can be tricky. — Tim, Feb 03 '22 at 17:29
Hello Tim, I did analyze CloudTrail event history and used CloudWatch Logs Insights to find out access Logging IP address for 90 days by using both “username” and “AWS Access Key” but it seems that it isn’t of much help for finding “g2” user data. “g2” IAM user does have Administrator Access. The user does not have console management access. I suspect it is just doing an 'ls' to check for the existence of some files. I think the same actions will be occurring each day for it — samtech 2021, Feb 04 '22 at 08:34

shearn89 · Answer 1 · 2022-02-04T10:27:53.183

0

I set up a new Trail to test this. Process was this:

Create new CloudTrail, enabling delivery to CloudWatch as @Tim suggested, and also enabled Data Events on S3. You may just want to enable Data Events on S3 and filter for the bucket in question, else you might generate a lot of logs!
Copied some files into a test bucket (foo.txt)
CloudWatch -> Log Groups -> My group -> "View in Log Insights"

Once logs start arriving I can easily do the following:

Find usage from my IP (if you know the IP replace 192.168.1.1):

fields @timestamp, @message
| filter sourceIPAddress == "192.168.1.1"
| sort @timestamp desc
| limit 20

Find activity from the role that I assume:

fields @timestamp, @message
| filter userIdentity.sessionContext.sessionIssuer.userName == "Admin"
| sort @timestamp desc
| limit 20

I can then expand any of the rows with the arrow on the left to find more useful fields. Any field can be added to the fields list to make it display nicely, e.g. use IP & Role & Service to narrow down a search and show useful info:

fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
| filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "Admin" and eventSource == "s3.amazonaws.com"
| sort @timestamp desc
| limit 100

Quick update: I logged into my backup storage account, to find an actual IAM user the key is:

filter userIdentity.userName == "iam-user-name"

edited Feb 04 '22 at 10:27

answered Feb 04 '22 at 09:56

shearn89

3,403
2
15
39

Hello shearn89, I did try this but ended with the result as "No results" found. https://ibb.co/2yhXyrJ – samtech 2021 Feb 04 '22 at 10:37
See my update - you might need to search on `userIdentity.userName`. – shearn89 Feb 04 '22 at 13:49
still no result output with this code : | filter userIdentity.userName == "g2" | sort @timestamp desc | limit 20 – samtech 2021 Feb 04 '22 at 15:13
Well, you'll have to try to narrow down the search to identify the fields to search for then. If you know roughly when the activity occurred then you can start there. Or test it with another IAM user to confirm it works. Also check the username is the same as in IAM - is it just 'g2'? – shearn89 Feb 04 '22 at 16:20
Thanks shearn89 ,I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information? – samtech 2021 Feb 08 '22 at 14:28
You'll have to start with a search over that time (e.g. 5 minutes for that period). Then filter down by service and dig into the logs. I can't give you step by step for exploring your own data, you'll have to look at the events and start to filter through it. – shearn89 Feb 08 '22 at 14:46
HelIo shearn89, I did that and I am able to find the desired result with the other IAM users, but not with that specific user "g2", still not able to figure out why? – samtech 2021 Feb 10 '22 at 12:06
Is G2 definitely an IAM user, accessing via access keys? Or is it running on an EC2 instance using an instance role? Or assuming a role on the command line? – shearn89 Feb 10 '22 at 12:08
Hello shearn89 , Yes right,"g2” Is an IAM user and has Administrator Access. The user does not have console management access. – samtech 2021 Feb 10 '22 at 13:31
The search is case sensitive. Have you been searching for `G2` when the user is `g2`? Otherwise I'm out of ideas. If you can find other user's activity then CloudTrail is working as intended. – shearn89 Feb 10 '22 at 13:41
shearn89, I'm searching with exact same IAM username, but no result. Yes, the query is working fine for other users. Is there any possibility that is this a cron? – samtech 2021 Feb 10 '22 at 13:50
It doesn't matter, if it's a cron thing then it should still be logged in CloudTrail, unless it's not actually happening as the G2 user but some other user. – shearn89 Feb 10 '22 at 13:52
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/134016/discussion-between-shearn89-and-samtech-2021). – shearn89 Feb 10 '22 at 13:52
Hello shearn89, Based on the Athena Queries, I’m able to find “g2” IAM user activities including IP addresses. but from the results looks like it last was used in Oct 2021 but the IAM logs it as access today, can you advise why it is or How to diagnose it? – samtech 2021 Feb 23 '22 at 14:54

S3 Logs event Issue

1 Answers1