AWS S3 file access auditing

In this page

  • What is AWS S3 file access auditing?
  • Why Audit S3 file changes?
  • Setting up S3 for file access auditing

What is AWS S3 file access auditing?

Amazon Simple storage service (S3) offers a scalable platform for storing and retrieving data of any size from any location. S3 provides robust support for versioning, website hosting, and detailed access logs. Organizations can eliminate capital expenditures and gain enhanced agility, scalability, availability, and resiliency by migrating on-premises data to Amazon S3.

The two fundamental components of Amazon S3 are buckets and objects. A bucket serves as a container for objects, where each object is a file along with its metadata. Objects can be uploaded to a bucket and subsequently accessed, downloaded, or moved to another bucket. This makes Amazon S3 a powerful and flexible storage option for diverse data management needs.

Given the critical nature of the data often stored in S3, it's crucial to implement robust access auditing mechanisms to monitor and track all file accesses. This article will walk you through the essential steps and best practices for auditing file access in AWS S3.

Why Audit S3 file changes?

Auditing file changes in S3 is essential for ensuring the security of your data. It's important to analyze how users interact with the data in your storage buckets. By leveraging AWS S3 file access auditing capabilities, you can monitor and track all changes to your files, identify when files are added or deleted, and see who is accessing the data and how frequently. This helps recognize unauthorized access or privilege abuse, thereby ensuring data integrity and security. Additionally, maintaining detailed file access logs is crucial for meeting stringent regulatory requirements.

Setting up S3 for file access auditing

1. Enable versioning on your S3 Bucket

Tracking changes to your files is made easy with S3 versioning, which keeps multiple versions of an object in the same bucket. Enabling this feature is the first step towards comprehensive file access auditing.

Steps to enable versioning:

  • Open the AWS management console and go to the S3 service.
  • Select the specific bucket for which you want to enable versioning.
  • Activate versioning:
    • Go to the Properties tab.
    • Navigate to the Bucket Versioning section and select Edit.
    • Click Enable and then save your changes.

2. Enable server access logging

Server access logging offers detailed records of the requests made to your S3 bucket.This includes information about who accessed the bucket, when, and what operations were performed.

Steps to enable Server access logging:

  • Open the S3 console.
  • Select the bucket in which you want to enable logging.
  • In the Properties tab, select Server access logging.
  • Specify the target bucket for storing access logs. Make sure the target bucket has the required permissions to receive the logs.

3. Setting up S3 event notifications

One effective way to monitor S3 file access is by using S3 event notifications. S3 event notifications for file access auditing allows you to monitor, alert, and automate responses to specific events occurring in your S3 buckets. By setting up notifications and integrating with AWS services like Lambda, SNS, and SQS, you can enhance the security and compliance of your S3 data.

Steps to enable event notifications:

  • Open the S3 console.
  • Choose the bucket you want to monitor.
  • Under the Properties tab, click on Event notifications.
  • Add a new event notification and choose the events you want to track (e.g., ObjectCreated, ObjectRemoved).
  • Choose the destination for the notifications, such as an SNS topic, SQS queue, or Lambda function.

4. Analyze logs with Amazon Athena

Amazon Athena offers an interactive query service that allows you to analyze data stored in S3 using standard SQL.You can use Athena to query and analyze access logs stored in S3. One of its key features is the ability to import data directly from an S3 bucket. Without this, you would need to download the entire log files and import them into analysis software.

Steps to analyze logs with Athena:

1. Go to the Athena console.

  • Create a new database for your logs.
  • Define a table schema that matches the structure of your S3 access logs.

2. Query the logs:

Write SQL queries to extract specific information from the logs, such as identifying who accessed or modified files and when these actions occurred.

SELECT
requestdatetime,
remoteip,
requester,
requestid,
operation,
key,
requesturi,
httpstatus
FROM
s3_access_logs
WHERE
operation = 'REST.PUT.OBJECT'
OR operation = 'REST.DELETE.OBJECT'
ORDER BY
requestdatetime DESC;

5. Implement IAM policies for enhanced security

IAM policies are a fundamental component of AWS security. These policies define permissions and are crucial for controlling access to AWS resources. Identity-based policies are linked to IAM entities like users, groups, and roles, specifying their access rights.

Implementing IAM policies ensures that only authorized users have access to your S3 buckets. Only grant the necessary permissions for users to perform their tasks. You can also use IAM policies to provide read-only access to auditors, adhering to the principle of least privilege.

Note:

AWS suggests using S3 bucket policies or IAM policies instead of access control lists (ACLs). Granting public-read access is discouraged, as it permits global access to the object.

So, what next?

Automate AWS S3 file access auditing with a cloud SIEM solution.

ManageEngine's Log360 Cloud is a cloud-based SIEM solution that provides comprehensive visibility and security management across on-premises and cloud environments in a single console. Enhance your security posture with real-time log analysis and threat detection.

Sign upSchedule a demo