0

I am trying to create an AWS Cloud watch event which will trigger an email whenever a S3 bucket is created or modified to allow public access.

I have created the cloud trail, log stream and am tracking all the S3 events logs. When i am trying to create a custom event by giving the pattern to detect S3 buckets with public access i am not able to fetch any response or the event doesn't get triggered even if i create bucket with public access. Can you help me out with the custom pattern for the same ?

I have tried giving GetPublicAccessBlock, PutPublicAccessBlock etc in event type but no luck. Please suggest accordingly.

Naga pramukh
  • 1

1 Answers1

0

you need to do the following in order to receive a notification

  1. Enable CloudTrail for management events
  2. Create an EventBridge Rule with an event pattern
  3. AWS events or EventBridge partner events
  4. Use Pattern from AWS Service, Simple Storage Service(S3) and Event Type as "AWS API Call via CloudTrail"

Note: This only works if you are turning off for an existing bucket (not for a new bucket)

The reason being when we create a bucket with public access, there are only two events generated, which are CreateBucket and PutBucketEncryption and they don't seem to have information regarding public access being turned on. However if we create a bucket with no public access then it generates an additional PutBucketPublicAccessBlock event with CreateBucket and PutBucketEncryption.

{
 "source": ["aws.s3"],
 "detail-type": ["AWS API Call via CloudTrail"],
 "detail": {
   "eventSource": ["s3.amazonaws.com"],
   "eventName": ["PutBucketPublicAccessBlock", "DeleteBucketPublicAccessBlock"],
   "requestParameters": {
     "PublicAccessBlockConfiguration": {
       "$or": [{
         "RestrictPublicBuckets": [false]
       }, {
         "BlockPublicPolicy": [false]
       }, {
         "BlockPublicAcls": [false]
       }, {
         "IgnorePublicAcls": [false]
       }]
     }
   }
 }
}
Sri
  • 342
  • 4
  • 17
  • Hi Sri, thanks for responding. I have tried the same pattern but i am not getting the email for the same since i have set my travel as SNS. One thing to note is this works fine if i give event type as PutBucketPolicy or DeleteBucket but for the public access things it's not. Please advise accordingly – Naga pramukh Jan 23 '23 at 06:59
  • I tried it myself with the above pattern and used SNS and I was able to receive the notifications. could you please provide you pattern. – Sri Jan 23 '23 at 10:11
  • When i am using the same pattern, i am getting notification for private bucket but not getting notification for public. So for my use case i should get notification when a bucket with public access is created. Is there any configuration or something i am missing Sri ? And thank you for you quick response – Naga pramukh Jan 23 '23 at 10:38
  • i was able to receive notification whenever we turn public access on or off. I think you this is what you mean by private/public. you need to provide me the pattern in order to assist further. – Sri Jan 23 '23 at 10:46
  • Hi Sri, I am using the same pattern which you shared earlier. The requirement is I need to get a notification whenever a bucket is created which has public access enabled. The pattern which you shared is sending me notification if j create a bucket with no public access whereas i need it to be other way round. Sorry if I was not clear with my requirement. – Naga pramukh Jan 23 '23 at 10:49
  • @Nagapramukh, I have updated the answer with the correct pattern, please note it only works for the existing buckets (not for new buckets) – Sri Jan 26 '23 at 01:30