CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in Amazon S3, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing Events with CloudTrail Event History. Show
For an ongoing record of events in your AWS account, including events for Amazon S3, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
For more information, see the CloudTrail userIdentity Element. You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 Lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using Amazon S3 server-side encryption (SSE). How CloudTrail captures requests made to Amazon S3By default, CloudTrail logs S3 bucket-level API calls that were made in the last 90 days, but not log requests made to objects. Bucket-level calls include events like CreateBucket, DeleteBucket, PutBucketLifeCycle, PutBucketPolicy, etc. You can see bucket-level events on the CloudTrail console. However, you can't view data events (Amazon S3 object-level calls) there—you must parse or query CloudTrail logs for them. Amazon S3 account-level actions tracked by CloudTrail loggingCloudTrail logs account-level actions. Amazon S3 records are written together with other AWS service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size. The tables in this section list the Amazon S3 account-level actions that are supported for logging by CloudTrail. Amazon S3 account-level API actions tracked by CloudTrail logging appear as the following event names:
Amazon S3 bucket-level actions tracked by CloudTrail loggingBy default, CloudTrail logs bucket-level actions. Amazon S3 records are written together with other AWS service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size. The tables in this section list the Amazon S3 bucket-level actions that are supported for logging by CloudTrail. Amazon S3 bucket-level API actions tracked by CloudTrail logging appear as the following event names:
In addition to these API operations, you can also use the OPTIONS object object-level action. This action is treated like a bucket-level action in CloudTrail logging because the action checks the CORS configuration of a bucket. Amazon S3 object-level actions tracked by AWS CloudTrail loggingYou can also get CloudTrail logs for object-level Amazon S3 actions. To do this, enable data events for your S3 bucket or all buckets in your account. When an object-level action occurs in your account, CloudTrail evaluates your trail settings. If the event matches the object that you specified in a trail, the event is logged. For more information, see Enabling CloudTrail event logging for S3 buckets and objects and Logging Data Events for Trails in the AWS CloudTrail User Guide. The following object-level API actions are logged as CloudTrail events:
In addition to these operations, you can use the following bucket-level operations to get CloudTrail logs as object-level Amazon S3 actions under certain conditions:
Object-level actions in cross-account scenariosThe following are special use cases involving the object-level API calls in cross-account scenarios and how CloudTrail logs are reported. CloudTrail always delivers logs to the requester (who made the API call). When setting up cross-account access, consider the examples in this section. The examples assume that CloudTrail logs are appropriately configured. Example 1: CloudTrail delivers access logs to the bucket ownerCloudTrail delivers access logs to the bucket owner only if the bucket owner has permissions for the same object API. Consider the following cross-account scenario:
CloudTrail always delivers object-level API access logs to the requester (account-B). In addition, CloudTrail also delivers the same logs to the bucket owner (account-A) only if the bucket owner owns (account-C) or has permissions for those same API actions on that object. Otherwise, the bucket owner must get permissions, through the object's ACL to get object-level API access logs. Example 2: CloudTrail does not proliferate email addresses used in setting object ACLsConsider the following cross-account scenario:
The requester gets the logs along with the email information. However, the bucket owner—if they are eligible to receive logs, as in example 1—gets the CloudTrail log reporting the event. However, the bucket owner doesn't get the ACL configuration information, specifically the grantee email and the grant. The only information that the log tells the bucket owner is that an ACL API call was made by Account-B. Which of the following AWS services can be used to record logs of all AWS API calls?You can use AWS CloudTrail data to view and track API calls made to your account using the following: CloudTrail Event history. CloudTrail Lake. Amazon CloudWatch Logs.
Which AWS service records API activity?AWS CloudTrail, a service that continuously monitors and logs your AWS account activity, now allows Amazon CloudWatch Events APIs to be viewed in the CloudTrail console API Activity History page.
Which AWS service collect information regarding API activity made against an AWS account?AWS CloudTrail is the canonical source of logs for user activity and API usage across AWS services.
Which permissions does CloudTrail need to deliver logs to an S3 bucket?To do this, replace the account ID ARNs with the service principal name: "cloudtrail.amazonaws.com" . This gives CloudTrail permission to deliver logs for current and new regions. As a security best practice, add an aws:SourceArn or aws:SourceAccount condition key to the Amazon S3 bucket policy.
|