(本篇當初為了公司而寫所以暫時為英文版,有空把它變成中文)
Introduction
Understand how to open AWS S3 bucket logs and how to query the stored logs
Understand how to control user read and write permissions for S3 buckets
Integrate CloudTrail to make the log query process more convenient
Create IAM user for different permission
Go to Identity and Access Management (IAM) for create 2 user, we are going to let
sun: read/write access for S3
moon: read only for S3
Go to Policies and give user sun full permission for S3
Click into policy and attach user for this policy
Also, give user moon “AmazonS3ReadOnlyAccess” policy.
Create S3 for log save
We can log in user sun for create the S3 bucket, login url can be found in IAM Dashboard.
So now, go to Amazon S3 for create.
Didn’t need to change anything during create.
After create the S3 for saving log (log-kang), we can create the other one for Production env (In the image, it display as prod-kang)
When your source bucket and destination bucket are the same bucket, additional logs are created for the logs that are written to the bucket, which creates an infinite loop of logs. We do not recommend doing this because it could result in a small increase in your storage billing. In addition, the extra logs about logs might make it harder to find the log that you are looking for.
Set server logging enable
Now, click in prod-kang and go to Properties, scroll down to find “Server access log”, enable it and define the save path
In this image, we have create “prod-log” folder in log-kang S3, so we can find our log in it.
Get the log
Go in log-kang S3 bucket, we can see the log inside (separate in many file)
We can open the log file by clicking “Open” button instead of URL
or we can use AWS CLI to download all the log and migrate it by
1 | aws s3 cp s3://log-kang/prod-log . --recursive |
and we can execute command in the file, so we can get the combined_log.txt
1 | cat * >> combined_log.txt |
Compare: CloudTrail vs S3 server access logs
| CloudTrail Data Events | S3 server access logs |
|---|---|
| API calls at Object level | Access calls to S3 objects |
| All the S3 buckets for the AWS account or just for some folder in S3 bucket | individual bucket level |
| give more comprehensive information about the logs like BucketOwner, HTTPStatus, ErrorCode | |
| 0.10 per 100,000 data events delivered | Free |
CloudTrail Log
Example: PutBucketLogging
1 | { |
S3 server access logs
How to use CloudTrail
Go to CloudTrail, click on “Create Trail”
After created, we will go in “Choose log events”, there’ll have 3 Event type:
Management events: Capture management operations performed on your AWS resources.
- Management events capture management operations, such as API use, that are performed on resources in your AWS account. These are also known as control plane operations. Management events can also include non-API events that occur in your account, such as the ConsoleLogin event that occurs when a user signs in to your AWS account.
Data events: Log the resource operations performed on or within a resource.
- Data events show the resource operations performed on or within a resource, such as when a user uploads a file to an S3 bucket. These are also known as data plane operations. For more information about available data events, see Logging data events.
Insights events: Identify unusual activity, errors, or user behavior in your account.
- Helps you identify and respond to unusual activity associated with API calls and API error rates by continuously analyzing CloudTrail management events
We can select to record all the operation for all S3 bucket, or we can go into “custom” choice with specific S3 bucket.
Append: Full access for specific S3
Now we want to give user moon have full access to S3 bucket share-resource-kang, which create by user sun
Go to IAM policies and create
Just select JSON and copy paste below
1 | { |
So that we can give user moon “s3:PutObject” and “s3:DeleteObject” permission.