0

Its possible to do object logging on a S3 bucket to Cloud trail using the following guide, but this is through the console.

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html

I've been trying to figure out a way to do this via the cli since want to do this for many buckets but haven't had much luck. I've setup a new cloud trail on my account and would like to map it to s3 buckets to do object logging. Is there a cli for this?

# This is to grant s3 log bucket access (no link to cloudtrail here)
aws s3api put-bucket-logging
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
puji
  • 487
  • 4
  • 9

2 Answers2

3

It looks like you'll need to use the CloudTrail put_event_selectors() command:

DataResources

CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions.

(dict): The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events.

Do a search for object-level in the documentation page.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Thanks, got this to work using the following... can update your answer if you want : aws cloudtrail put-event-selectors --trail-name my_trail_name --event-selectors '[{"ReadWriteType": "All","DataResources": [{"Type": "AWS::S3::Object","Values": ["arn:aws:s3:::BUCKETNAME1/","arn:aws:s3:::BUCKETNAME2/"]}],"IncludeManagementEvents": true}]' – puji Mar 28 '19 at 19:27
1

Disclaimer: The comment by puji in the accepted answer works. This is an expansion of that answer with the resources.

Here is the AWS documentation on how to do this through the AWS CLI

https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html

The specific CLI command you are interested is the following from the above documentation. The original documentation lists two objects in the same bucket. I have modified it to cover all the objects in two buckets.

aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket1/","arn:aws:s3:::mybucket2/"]}]}]'

If you want all the S3 buckets in your AWS accounts covered you can use arn:aws:s3::: instead of list of bucket arns like the following.

aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'
SanD
  • 503
  • 2
  • 7
  • 25