Reputation: 507
How do you enable S3 Object Logging to Cloud Trail using AWS CLI?
Its possible to do object logging on a S3 bucket to Cloud trail using the following guide, but this is through the console.
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html
I've been trying to figure out a way to do this via the cli since want to do this for many buckets but haven't had much luck. I've setup a new cloud trail on my account and would like to map it to s3 buckets to do object logging. Is there a cli for this?
# This is to grant s3 log bucket access (no link to cloudtrail here)
aws s3api put-bucket-logging
Upvotes: 0
Views: 1648
Answers (2)
Reputation: 543
Disclaimer: The comment by puji in the accepted answer works. This is an expansion of that answer with the resources.
Here is the AWS documentation on how to do this through the AWS CLI
https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html
The specific CLI command you are interested is the following from the above documentation. The original documentation lists two objects in the same bucket. I have modified it to cover all the objects in two buckets.
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket1/","arn:aws:s3:::mybucket2/"]}]}]'
If you want all the S3 buckets in your AWS accounts covered you can use arn:aws:s3::: instead of list of bucket arns like the following.
aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'
Upvotes: 1
Reputation: 269460
It looks like you'll need to use the CloudTrail put_event_selectors() command:
DataResources
CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions.
(dict): The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events.
Do a search for object-level in the documentation page.
Upvotes: 3
Related Questions
- Is it possible to write cloudtrail logs to an s3 bucket in another, third-party AWS account?
- Cloudtrail not logging my s3 bucket events
- CloudWatch Rule set to trigger from CloudTrail doesn't trigger Lambda function unless I create a Trail to store CloudTrail logs in an S3 bucket
- Enable S3 Bucket Object level events to CloudTrail trail and forward object level events to CloudWatch log group in terraform?
- Moving specific Logs from AWS Cloudtrail to S3
- Enable object logging on s3 bucket via cloudformation
- AWS CloudTrail: Can I disable S3 storage for trails, since I'm using CloudWatch
- Enable logging S3 via cloudFormation template?
- How to enable AWS EMR CloudTrail logging?
- how to make cloud trail log files publicly readable