By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can an org-wide CloudTrail exclude S3 logging for an S3 bucket in another account?

0

We have an organization-wide CloudTrail which is logging events to an S3 bucket in a different account (part of the organization). By default, with S3 events turned on, this means we are getting the CloudTrail log events logging themselves. I have attempted to exclude the bucket using the advanced event selectors however I get the error message "S3 ARN is not valid". When clicking the browse button next to this field, I can only see S3 buckets on the master account for the organization. Is it possible to exclude a bucket held in another account?

Topics
Management & GovernanceStorage
Tags
Management & GovernanceAWS OrganizationsStorageAWS CloudTrail
Language
English
JK
asked 3 months ago392 views
1 Answer
1

Hello,

It is indeed possible to create an advanced event selector for your Organization-wide Cloudtrail, to exclude logging of data events for a specific S3 bucket, that is located in a member AWS account.

In order to achieve the same, you would generally follow the same steps as outlined here[1] via the Cloudtrail management Console, however, you would need to specify the S3 bucket ARN and include the trailing slash, if you use the "resources.ARN" Field Selector, instead of selecting the "Browse" button, as selecting the "Browse" button only lists the S3 buckets that is located in the Organization Management, which is similar to viewing S3 buckets via the S3 management Console when you are logged into the Organization Management Account.

For example, you would use the following S3 ARN format, together with the "notStartsWith" operator, in order to exclude the logging of data events (object-level activities), for a specific S3 bucket located in the member AWS Account:

  • arn:aws:s3:::<bucket_name>/

The reason for the above is that if you enable data events for S3, then you are essentially logging data events for the resource type "AWS::S3::Object" and the ARN format for this resource type would commonly be the following[2]:

  • arn:aws:s3:::<bucket_name>/
  • arn:aws:s3:::<bucket_name>/<object_prefix>/

If you try to specify the ARN of the S3 bucket, without the trailing slash, in the advanced event selector for S3 data events, then you are essentially specify the ARN for the resource type "AWS::S3::Bucket" and not for the "AWS::S3::Object" resource type. This would explain the error "S3 ARN is not valid" that was returned, as the expected ARN format would be the ARN format for the resource type "AWS::S3::Object".

[1] Logging data events - Logging data events with the AWS Management Console - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console

[2] AdvancedFieldSelector - Contents (see sub-header "resources.ARN") - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html#API_AdvancedFieldSelector_Contents

I sincerely hope the above helps.

AWS
SUPPORT ENGINEER
Bradley_A
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content