Is there any way send alert when s3 bucket(objects) is created/deleted?

Question

Recently we had terrible day someone from team deleted terraform state file. so we thought implementing alerts on s3. is there any way we can alert(send notifications)? and can we know which IAM user has performed the action?

Answer 1

You can use CloudTrail + SNS to generate alerts about S3 object creation and deletion like so:

https://asecure.cloud/a/cwalarm_s3_creation_deletion/

Here's a user guide from AWS that may help you as well: https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html

There's a nice video from 2018 about how to get SNS notifications to get alerts about S3 object creation/deletion. Check that out also: https://www.youtube.com/watch?v=EGyuzMbXD0Y

The other couple of practices you could us are:

• enable versioning
• create policies so users cannot delete objects
• enable object locking
• replicate bucket to a different region
• optionally, keep a air-gapped copy outside of AWS S3 for critical files

That'll prevent an important file from being accidentally deleted.

Who dun it?

You should enable CloudTrail. Enable S3 bucket logs with object level logging. That'll allow CloudTrail to audit what happened to an object level. Here are a couple article that can help you get started:

• https://aws.amazon.com/premiumsupport/knowledge-center/s3-audit-deleted-missing-objects/
• https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
• There's a video that can help: https://www.youtube.com/watch?v=Tzw1y7limNw

Answer 2

Amazon S3 Events can send notifications when objects in an Amazon S3 bucket are created or deleted.

The notification can:

• Send a message to an Amazon SNS Topic
• Send a message to an Amazon SQS Queue
• Trigger an AWS Lambda function