AWS CloudTrail custom selector for Data events

Question

I would like to enable CloudTrail Data Events just for Delete events for just couple of S3 buckets. I have the following selector:

[
  {
    "name": "Deletes CT selector",
    "fieldSelectors": [
      {
        "field": "eventCategory",
        "equals": [
          "Data"
        ]
      },
      {
        "field": "resources.type",
        "equals": [
          "AWS::S3::Object"
        ]
      },
      {
        "field": "eventName",
        "startsWith": [
          "Delete"
        ]
      },
      {
        "field": "resources.ARN",
        "startsWith": [
          "arn:aws:s3:::bucket-1/",
          "arn:aws:s3:::bucket-2/",
          "arn:aws:s3:::bucket-3/"
        ]
      },
      {
        "field": "readOnly",
        "equals": [
          "false"
        ]
      }
    ]
  }
]

When I try and test by deleting some object, I can see all other related events prior and after the delete but there is no DeleteObject or DeleteObjects, no Delete events at all. I am loading the logs in Athena and checking there, also manually checked the gzipped json generated by CloudTrails. No Delete events.

Does someone have managed to setup this scenario in CloudTrail?

score 0 · Answer 1 · answered Apr 12 '21 at 07:35

I thought I had a similar problem, using startWith = DeleteObject instead of Delete.

After a while it turns out events were just delayed. Working setup:

[
  {
    "name": "abc",
    "fieldSelectors": [
      {
        "field": "eventCategory",
        "equals": [
          "Data"
        ]
      },
      {
        "field": "resources.type",
        "equals": [
          "AWS::S3::Object"
        ]
      },
      {
        "field": "eventName",
        "startsWith": [
          "DeleteObject"
        ]
      },
      {
        "field": "resources.ARN",
        "startsWith": [
          "arn:aws:s3:::xxxxxx"
        ]
      }
    ]
  }
]

AWS CloudTrail custom selector for Data events

1 Answers1