1

I want to create on CloudWatch a metric filter and an alarm based on it to notify me about S3 events, specially when a file or a bucket is set to public. This is the metric filter I used to create the metric:

{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutObjectAcl)) && (($.requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.type = Group ))}

I tested this pattern by putting the following Custom log data :

{
    "Records": [
    {
        "eventVersion": "1.03",
        "userIdentity": {
            "type": "IAMUser",
            "principalId": "111122223333",
            "arn": "arn:aws:iam::111122223333:user/myUserName",
            "accountId": "111122223333",
            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
            "userName": "myUserName"
        },
        "eventTime": "2015-08-26T20:46:31Z",
        "eventSource": "s3.amazonaws.com",
        "eventName": "DeleteBucketPolicy",
        "awsRegion": "us-west-2",
        "sourceIPAddress": "127.0.0.1",
        "userAgent": "[]",
        "requestParameters": {
            "bucketName": "myawsbucket"
        },
        "responseElements": null,
        "requestID": "47B8E8D397DCE7A6",
        "eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8",
        "eventType": "AwsApiCall",
        "recipientAccountId": "111122223333"
    },
    {
       "eventVersion": "1.03",
       "userIdentity": {
            "type": "IAMUser",
            "principalId": "111122223333",
            "arn": "arn:aws:iam::111122223333:user/myUserName",
            "accountId": "111122223333",
            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
            "userName": "myUserName"
        },
      "eventTime": "2015-08-26T20:46:31Z",
      "eventSource": "s3.amazonaws.com",
      "eventName": "PutBucketAcl",
      "awsRegion": "us-west-2",
      "sourceIPAddress": "",
      "userAgent": "[]",
      "requestParameters": {
          "bucketName": "",
          "AccessControlPolicy": {
              "AccessControlList": {
                  "Grant": {
                      "Grantee": {
                          "xsi:type": "Group",
                          "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
                          "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
                       },
                      "Permission": "FULL_CONTROL"
                   }
              },
              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
              "Owner": {
                  "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
              }
          }
      },
      "responseElements": null,
      "requestID": "BD8798EACDD16751",
      "eventID": "607b9532-1423-41c7-b048-ec2641693c47",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    },
    {
      "eventVersion": "1.03",
      "userIdentity": {
          "type": "IAMUser",
          "principalId": "111122223333",
          "arn": "arn:aws:iam::111122223333:user/myUserName",
          "accountId": "111122223333",
          "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
          "userName": "myUserName"
        },
      "eventTime": "2015-08-26T20:46:31Z",
      "eventSource": "s3.amazonaws.com",
      "eventName": "GetBucketVersioning",
      "awsRegion": "us-west-2",
      "sourceIPAddress": "",
      "userAgent": "[]",
      "requestParameters": {
          "bucketName": "myawsbucket"
      },
      "responseElements": null,
      "requestID": "07D681279BD94AED",
      "eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    }
  ]
}

I clicked Test Pattern and I get this message:

Results Found 0 matches out of 50 event(s) in the sample log.

Is the metric filter proper and correct ? I'm supposed to have one result but it is not coming up.

Souad
  • 4,856
  • 15
  • 80
  • 140

1 Answers1

0

Calculating whether a policy is providing open access is quite complex, due to the many ways that rules can be specified in the Bucket Policy (for example, wildcards can provide access).

An easier approach would be to use the Amazon S3 Bucket Permissions check in Trusted Advisor:

Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user.

You can then Monitor Trusted Advisor Check Results with Amazon CloudWatch Events.

However, that particular check is not included in the Free Tier for Trusted Advisor. You would need to be on a Support Plan for that check to operate.

The Amazon S3 console was also recently updated -- it now clearly shows any buckets with public permissions.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Yeas I'm aware that Trust Advisor provides that but I need a notification by SNS to my mailBox as I manage many AWS accounts and it's hard to check trust advisor account by account. CloudTrail events of all accounts are centralized in one bucket and I need to put the metric filter on it. – Souad Nov 14 '17 at 11:16
  • I need that alert even if it is complex. – Souad Nov 14 '17 at 11:20
  • As per the above link, Trusted Advisor can trigger a CloudWatch Event, which can send an SNS notification message. – John Rotenstein Nov 14 '17 at 11:39
  • We are working in eu-west-1 region and Trust Advisor rules are not available there. – Souad Nov 14 '17 at 11:44
  • Correct. As stated in the documentation, you must use Amazon CloudWatch Events in `us-east-1` to access Trusted Advisor. However, the Trusted Advisor checks for Amazon S3 are global, so they would still be available in `us-east-1`. – John Rotenstein Nov 14 '17 at 11:50
  • Another reason I cannot count on trust Advisor is that It only says when a bucket is Public, and it does not say that on an object leve. – Souad Nov 14 '17 at 11:53