Amazon AWS S3 Bucket Notify on Permission Change

Question

Looking to create a rule to notify on if someone happen to change permissions on an s3 bucket to everyone essentially. Hoping someone has some experience with a similar request and would love to hear what you did.

Answer 1

Configure CloudTrail to send logs to CloudWatch and setup an alarm to get notified when particular API request happened.

• Read here how to enable logging to CloudWatch: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html

• Read here how to filter particular API requests: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-s3-bucket-activity