- 最新
- 最多得票
- 最多評論
Hi, to answer your first questions:
I want to know if i can set up any cloudwatch alarms that get triggered, if the copying of data is failing because of any permissions/access isssue in certain bucket .
To monitor S3 you could setup the following elements:
- Logging API call using AWS Cloud Trail: this will give you information on the API call that are made to your bucket and the objects into your bucket (https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html)
- Amazon S3 Server Access Logging: this will access the operations happening on your bucket/object including "Authentication failures" as explained here https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html. (https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html)
also, currently , i generate access/secret keys to issue these dvc commands from my local machine, is there another way to get access to these s3 bucket, like setting up access points
The S3 Access Point feature might be used to better refine your authorization mechanism (https://aws.amazon.com/s3/features/access-points/), however you will still be required to perform some authentication either via:
- Access/Secret Key: this is the option you are currently using where you need to store the credential in you local machine.
- IAM Role Anywhere: this option is going to use certificate authentication to obtain temporary credential that can be used to authenticate your workload running on your local machine https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html https://aws.amazon.com/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws/
You can set up alarms by sending CloudTrail logs to CloudWatch logs and setting a filter in the metrics filter with a string for permission errors.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html
To add the required CloudTrail policy to an Amazon S3 bucket Open the Amazon S3 console at https://console.aws.amazon.com/s3/.
Choose the bucket where you want CloudTrail to deliver your log files, and then choose Permissions.
Choose Edit.
Copy the S3 bucket policy to the Bucket Policy Editor window. Replace the placeholders in italics with the names of your bucket, prefix, and account number. If you specified a prefix when you created your trail, include it here. The prefix is an optional addition to the S3 object key that creates a folder-like organization in your bucket.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-event-notifications.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
Hi clouduser, if you think my answer cover your requests can I please ask you to consider to accept my answer?