AWS S3 log for DeleteObject?

Question

How to use AWS services like CloudTrail or CloudWatch to check which user performed event DeleteObject?

I can use S3 Event to send a Delete event to SNS to notify an email address that a specific file has been deleted from the S3 bucket but the message does not contain the username that did it.

I can use CloudTrail to log all events related to an S3 bucket to another bucket, but I tested and it logs many details, and only event PutObject but not DeleteObject.

Is there any easy way to monitor an S3 bucket to find out which user deleted which file?

Upate 19 Aug

Following Walt's answer below, I was able to log the DeleteObject event. However, I can only get the file name (requestParameters.key) for PutObject, but not for DeleteObjects.

| # | @timestamp | userIdentity.arn | eventName | requestParameters.key |
| - | ---------- | ---------------- | --------- | --------------------- |
| 1 | 2019-08-19T09:21:09.041-04:00 | arn:aws:iam::ID:user/me | DeleteObjects |
| 2 | 2019-08-19T09:18:35.704-04:00 | arn:aws:iam::ID:user/me | PutObject |test.txt |

It looks like other people have had the same issue and AWS is working on it: https://forums.aws.amazon.com/thread.jspa?messageID=799831

Changes to S3 logging can take hours to propagate. How long did you wait after making the change. — WaltDe, Aug 15 '19 at 20:53
If you need near real time notification, then you could use S3 event notifications for ObjectDelete (All), sent to Lambda or SNS. The event you receive will contain userIdentity/principalId. — jarmod, Aug 15 '19 at 21:33
@jarmod SNS doesn't show username, only principalID which is not I need. — Viet, Aug 16 '19 at 02:45
The principalId in the case of an IAM user will be of the form AIDA.... and you can correlate that with the underlying IAM user. For example, this command will show you a given IAM user's UserId which is the principalId in the Lambda event: aws iam get-user --user-name mary. — jarmod, Aug 16 '19 at 13:14
@viet I posted an answer on how I have my CloudTrail S3 event logging setup. I send my events to CloudWatch Logs because with Logs Insights it is now super easy to search your logs. Sending them to S3 is also a good security practice for long term storage. — WaltDe, Aug 16 '19 at 13:30
Thank you jarmod and Walt. @WaltDe, I'll try that and get back to you. — Viet, Aug 16 '19 at 17:03

score 5 · Accepted Answer · answered Aug 16 '19 at 13:28

5

Here is my setup.

Detail instructions on setting up CloudTrail in the console. When setting up the CloudTrail double check these 2 options.

That your are logging S3 writes. You can do this for all S3 buckets or just the one you are interested. You also don't need to enable read logging to answer this question.

And you are sending events to CloudWatch Logs

If you made changes to the S3 write logging you might have to wait a little while. If you haven't had breakfast, lunch, snack, or dinner now would be a good time.

If you're using the same default CloudWatch log group as I have above this link to CloudWatch Insight Logs search should work for you.

This is a query that will show you all S3 DeleteObject calls. If the link doesn't work

Got to CloudWatch Console.
Select Logs->Insights on the left hand side.
Enter value for "Select log group(s)" that you specific above.
Enter this in the query field.

fields @timestamp, userIdentity.arn, eventName, requestParameters.bucketName, requestParameters.key
| filter eventSource == "s3.amazonaws.com"
| filter eventName == "DeleteObject"
| sort @timestamp desc
| limit 20

If you have any CloudTrail S3 Delete Object calls in the last 30 min the last 20 events will be shown.

answered Aug 16 '19 at 13:28

WaltDe

1,715
8
17

Thank you for your suggestion. However, I ran into this error when trying to configure my Trail ```Unable to validate the role policy. Please retry. ``` I chose to create a new role and the role policy looks fine. I've done it a few times following this: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html – Viet Aug 19 '19 at 13:05
I changed the `Resources` to `*` and it's validated. It looks like the one that AWS automatically generated doesn't work. – Viet Aug 19 '19 at 13:12
1

Thank you @WaltDe, your query works. The only issue is CloudWatch shows the file name (requestParameters.key) for `PutObject` but not for `DeleteObjects`. I'll update my question. – Viet Aug 19 '19 at 13:25
1

It looks like other people have had the same issue and AWS is working on it: https://forums.aws.amazon.com/thread.jspa?messageID=799831 – Viet Aug 19 '19 at 13:33
@Viet I was using the aws cli to delete the specific object. How are deleting the object? Can you look through the event details and see if the key is listed in the resources section? – WaltDe Aug 19 '19 at 13:42
@Viet That does explain what is happening. Note that the AWS work around usin S3 Server Side logging will work most of the time as it's a best effort logging and does not guarentee the event will even be logged. – WaltDe Aug 19 '19 at 14:38
Hi @WaltDe, if you use the CLI then you can log the event in CloudWatch, but if you use the Console, it'll be saved as batch delete and the object won't be recorded. The AWS staff mentioned that in the thread I posted above. – Viet Aug 19 '19 at 17:39

score 4 · Answer 2 · answered Apr 12 '21 at 04:39

4

As of 2021/04/12, CloudTrail does not record object key(s) or path for DeleteObjects calls.

If you delete an object with S3 console, it always calls DeleteObjects.

If you want to access object keys for deletion you will need to delete individual files with DeleteObject (minus s). This can be done with AWS CLI (aws s3 rm s3://some-bucket/single-filename) or direct API calls.

answered Apr 12 '21 at 04:39

dz902

4,782
38
41

2

can you provide any references for this? Its very annoying that i cant track s3 delete object actions from the console – A Kingscote Dec 10 '21 at 10:06
1

It looks like CloudTrail still does not record the object keys being deleted via `DeleteObjects`. In https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html I found the following sentence: "CloudTrail does not log key names for the keys that are deleted using the Delete Multiple Objects operation." – madipi Apr 28 '22 at 09:20
yep, wasted time going down this path to write code to run the query, and only noticing it once there happens to be DeleteObjects calls. Can't find where it's documented but all console interactions use "DeleteObjects" but never "DeleteObject". I have this confirmed from an AWS support staff. – Leo Lei Aug 25 '22 at 10:29

AWS S3 log for DeleteObject?

2 Answers2