I need to capture all S3 events and store in S3 bucket. I got the option to enable Cloud trail for a S3 bucket, but I need to do it on a particular prefix instead of entire S3 bucket.
I do not see an option to add Prefix for enabling Cloud Trail on a S3 bucket. Is this possible?
Yes, it's possible.
For S3 you can log:
Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations) on buckets and objects in buckets.
You can set up AWS CloudTrail to log data events for specific Amazon S3 objects.
The following example shows how to use basic event selectors to configure your trail to include all management and data events for two S3 objects. You can specify from 1 to 5 event selectors for a trail.
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket/prefix", "arn:aws:s3:::mybucket2/prefix2"] }] }]'
This should return something like this:
{
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/TrailName",
"EventSelectors": [
{
"IncludeManagementEvents": true,
"DataResources": [
{
"Values": [
"arn:aws:s3:::mybucket/prefix",
"arn:aws:s3:::mybucket2/prefix2",
],
"Type": "AWS::S3::Object"
}
],
"ReadWriteType": "All"
}
]
}
Detailed documation on logging data events with CloudTrail is here.
