2

Is there a way to see what actions the 'G2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.

One point I’m still not able to figure out is that when I’m trying to find logs in Cloud trail using an AWS access key or username in both cases, I’m getting results as No matches. But throughout the day that user (G2) interacts with S3, based on the times it seems like it is a CRON running on some server. How to identify it?

I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information?

Is the CLI tool CloudTrail log will be helpful for my scenario?

I already tested these queries but was not able to get the output

fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
| filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "g2" and eventSource == "s3.amazonaws.com"
| sort @timestamp desc
| limit 100

fields @timestamp, @message
| filter userIdentity.userName == "g2"
| sort @timestamp desc
| limit 20

fields @timestamp, @message
| filter sourceIPAddress == "192.168.1.1"
| sort @timestamp desc
| limit 20
 

Does Athena query of CloudTrail Logs can be helpful? Can anyone help me with this?

samtech 2021
  • 59
  • 5
  • What is a 'G2' IAM user? Are you wanting to track their use of Amazon S3 operations (eg CreateBucket), or simply to track what objects they access (eg via their web browser http calls)? – John Rotenstein Feb 03 '22 at 09:39
  • John Rotenstein, want both actually Amazon S3 operations (eg CreateBucket) they perform and track what objects they access along with the IP address, do I need to take help of CloudTrail log, or is anything else is required?? – samtech 2021 Feb 03 '22 at 09:58
  • Duplicate: https://serverfault.com/questions/1092578/s3-logs-event-issue – shearn89 Mar 02 '22 at 13:56

2 Answers2

0

Yes, you can use CloudTrail logs:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html

Devang Sanghani
  • 731
  • 5
  • 14
0

To track API requests, you can use AWS CloudTrail to capture requests, including the user and IP address.

See: Logging Amazon S3 API calls using AWS CloudTrail - Amazon Simple Storage Service.

To track web requests, you can activate Server Access Logging, which is effectively a log file like a web server produces. It will track the IP address, but it can only identify authenticated users.

See Logging requests using server access logging - Amazon Simple Storage Service.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks, John Rotenstein, but One thing I’m still not able to figure out is that when I’m trying to find logs in Cloud trail using an AWS access key or username in both cases, I’m getting results as No matches. But throughout the day that user (G2) interacts with S3, based on the times it seems like it is a CRON running on some server. – samtech 2021 Feb 03 '22 at 13:19
  • _How_ is that user 'interacting' with S3? Are they calling an S3 API using an AWS SDK or the Console, or are they making HTTP calls to 'public' buckets? – John Rotenstein Feb 03 '22 at 21:44
  • Hello John Rotenstein , I did analyze CloudTrail event history and used CloudWatch Logs Insights to find out access Logging IP address for 90 days by using both “username” and “AWS Access Key” but it seems that it isn’t of much help for finding “g2” user data. “g2” IAM user does have Administrator Access. The user does not have console management access. I suspect it is just doing an 'ls' to check for the existence of some files. I think the same actions will be occurring each day for it . – samtech 2021 Feb 04 '22 at 08:34
  • https://ibb.co/2yhXyrJ – samtech 2021 Feb 04 '22 at 10:40
  • Did you "enable data events"? Can you see other users running similar commands? See: [Amazon S3 CloudTrail events - Amazon Simple Storage Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html#cloudtrail-object-level-tracking) – John Rotenstein Feb 04 '22 at 21:20
  • Hello John Rotenstein , I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information? – samtech 2021 Feb 08 '22 at 14:30
  • @samtech2021 Yes, you can look in the logs. Or am I misunderstanding what you are asking? – John Rotenstein Feb 08 '22 at 20:36
  • Hello John Rotenstein ,I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information? – samtech 2021 Feb 10 '22 at 10:19
  • @samtech2021 Yes, you can look in the logs. Or am I misunderstanding what you are asking? – John Rotenstein Feb 10 '22 at 10:20
  • Hello, John RotensteinI already run the mentioned quires but did not work for me, what do you think, which step/procedure or queries do I need to follow to get the result. – samtech 2021 Feb 10 '22 at 10:31
  • Did you active Amazon S3 CloudTrail events as referenced in my answer? It needs to be specifically activated to capture S3 API calls. Then, you would look in those logs around the time that you know the user was calling the Amazon S3 service. – John Rotenstein Feb 10 '22 at 10:55
  • yes John Rotenstein, I did that and I am able to find the desired result with the other IAM users, but not with that specific user "g2", still not able to figure out why? – samtech 2021 Feb 10 '22 at 11:12
  • That would suggest it isn't interacting with S3. You could always deactivate that IAM User and see who complains! – John Rotenstein Feb 10 '22 at 22:14