Logs for actions on amazon s3 / other AWS services

Question

I am trying to see which user was responsible for changes in S3 (at buckets level). I could not find a audit trail for actions done at S3 bucket level or EC2 who created ins

Answer 1

Current pricing for a single CloudTrail is free.

1. Enable CloudTrail

Use the CloudTrail dashboard and send all events to an S3 bucket, e.g. my-cloudtrail

2. Go Through the Results

The CloudTrail dashboard let's you do some cursory searches, but if you have many thousands of events, it's a pain to use.

Let's say I want actions for user foo_user, I just use the CLI tool:

mkdir -p /tmp/cloudtrail
cd /tmp/cloudtrail
aws s3 sync s3://mc10-cloudtrail .
cd AWSLogs
zcat `find . -type f` | jq '.Records[] | "\(.eventName) \(.userIdentity.userName)"' | grep food_user | sort | uniq

Example Output:

"CreateGrant foo_user"
"DescribeInstances foo_user"
"GetConsoleOutput foo_user"
"ModifyInstanceAttribute foo_user"
"StartInstances foo_user"
"StopInstances foo_user"

Note: S3 data events are billed differently in CloutTrail, but this is somewhat redundant, because you can just enable logging on your S3 bucket and grep those logs, or point them at Logstash/Kibana.