In my company we have an AWS account and I have a bucket that holds personal information about workers of the company. As the names of the files sometimes disclose information about the workers, I don't want the files to be listable to anyone. The bucket policy I used blocks all access to the bucket to anyone but me but CloudTrail still logs the names of the files, in PutObject or GetObject events for example, and so anyone with CloudTrail access (which I don't control) may see the file names and who accesses them. Is there a way to deny CloudTrail from logging this bucket? I want to make sure it is not logging what happens to the files there and who accesses the bucket.
Asked
Active
Viewed 150 times
0
-
Posted an explanation to your question, did it helped? – Jatin Mehrotra Mar 03 '23 at 07:06
1 Answers
0
The events you mentioned like GetObject and PutObject are data events
From docs
CloudTrail supports logging Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. These events are called data events.
which means your organization has enabled Data events and since you dont control the cloudtrail, you cannot disable.
according to docs
To disable CloudTrail data events logging for objects in an S3 bucket
To disable object-level logging for the bucket, you must open the CloudTrail console and remove the bucket name from the trail's Data events.
Jatin Mehrotra
- 9,286
- 4
- 28
- 67