How to consume Cloud Trail Data Event for S3 ?

Question

We are trying to get **cloud trail data event** but using the SDK or AWS CLI we can only fetch management events or insight events.

Refer : https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/lookup-events.html

However for our use case we need to fetch events such as **GetObject/PutObject** which are data events.
We can **directly get access to S3** bucket (where cloud trail logs are dumped) and surf through the objects but was just looking for a **better solution** .

Answer

CloudTrail SDK or AWS CLI can only fetch management events or insight events, there are other alternatives that you can consider.

One option is to use the CloudTrail Insights feature, which allows you to analyze CloudTrail data using a query language. With CloudTrail Insights, you can write a query to filter and search for S3 data events, such as GetObject and PutObject, based on specific criteria.

Another option is to set up a CloudWatch Events rule to trigger a Lambda function whenever a data event occurs in S3. The Lambda function can then process the event and perform any necessary actions, such as storing the event data in a database or sending a notification.

Answer

You can use Athena to query the CloudTrail data in S3. See: Analyze Security, Compliance, and Operational Activity Using AWS CloudTrail and Amazon Athena.

You can see how this is done in this workshop, Ransomware on S3 - Simulation and Detection

전문가

kentrad

답변함 일 년 전

You can see how this is done in this workshop, [Ransomware on S3 - Simulation and Detection](https://catalog.workshops.aws/aws-cirt-ransomware-simulation-and-detection/en-US)

How to consume Cloud Trail Data Event for S3 ?

관련 콘텐츠