Score:0

Server

S3 Logs event Issue

samtech 2021

6/3/23, 3:58 PM

Is there a way to see what actions the 'g2' IAM user is performing in S3, and which IP(s) they are running from? I have already enabled the logging of S3 actions.

One point I’m still not able to figure out is that when I’m trying to find logs in Cloud trail using an AWS access key or username in both cases, I’m getting results as No matches. But throughout the day that user (g2) interacts with S3, based on the times it seems like it is a CRON running on some server. How to identify it?

I did analyze CloudTrail event history and used CloudWatch Logs Insights to find out access Logging IP address for 90 days by using both “username” and “AWS Access Key” but it seems that it isn’t of much help for finding “g2” user data. “g2” IAM user does have Administrator Access. The user does not have console management access. I suspect it is just doing an 'ls' to check for the existence of some files. I think the same actions will be occurring each day for it

I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information?

I already tested these queries but was not able to get the output 

    fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
    | filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "g2" and eventSource == "s3.amazonaws.com"
    | sort @timestamp desc
    | limit 100

    fields @timestamp, @message
    | filter userIdentity.userName == "g2"
    | sort @timestamp desc
    | limit 20

    fields @timestamp, @message
    | filter sourceIPAddress == "192.168.1.1"
    | sort @timestamp desc
    | limit 20

Does Athena query of CloudTrail Logs can be helpful? Is the CLI tool CloudTrail log will be helpful for my scenario? Can anyone help me with this?

0 + 0

amazon-s3

amazon-web-services

amazon-iam

aws-cli

Tim

6/3/23, 5:29 PM

One technique that can help is to push CloudTrail logs into Cloudwatch Logs and use Cloudwatch Log Insights to search them. Finding individual log entries in CloudTrail logs can be tricky.

samtech 2021

6/4/23, 8:34 AM

Hello Tim, I did analyze CloudTrail event history and used CloudWatch Logs Insights to find out access Logging IP address for 90 days by using both “username” and “AWS Access Key” but it seems that it isn’t of much help for finding “g2” user data. “g2” IAM user does have Administrator Access. The user does not have console management access. I suspect it is just doing an 'ls' to check for the existence of some files. I think the same actions will be occurring each day for it

Score:0

Server

shearn89

6/4/23, 9:56 AM

I set up a new Trail to test this. Process was this:

Create new CloudTrail, enabling delivery to CloudWatch as @Tim suggested, and also enabled Data Events on S3. You may just want to enable Data Events on S3 and filter for the bucket in question, else you might generate a lot of logs!
Copied some files into a test bucket (foo.txt)
CloudWatch -> Log Groups -> My group -> "View in Log Insights"

Once logs start arriving I can easily do the following:

Find usage from my IP (if you know the IP replace 192.168.1.1):

fields @timestamp, @message
| filter sourceIPAddress == "192.168.1.1"
| sort @timestamp desc
| limit 20

Find activity from the role that I assume:

fields @timestamp, @message
| filter userIdentity.sessionContext.sessionIssuer.userName == "Admin"
| sort @timestamp desc
| limit 20

I can then expand any of the rows with the arrow on the left to find more useful fields. Any field can be added to the fields list to make it display nicely, e.g. use IP & Role & Service to narrow down a search and show useful info:

fields @timestamp, eventName, eventType, requestParameters.bucketName, requestParameters.key, resources.0.ARN
| filter sourceIPAddress == "xx.xx.xx.xx" and userIdentity.sessionContext.sessionIssuer.userName == "Admin" and eventSource == "s3.amazonaws.com"
| sort @timestamp desc
| limit 100

Quick update: I logged into my backup storage account, to find an actual IAM user the key is:

filter userIdentity.userName == "iam-user-name"

0 + 0

samtech 2021

6/4/23, 10:37 AM

Hello shearn89, I did try this but ended with the result as "No results" found. https://ibb.co/2yhXyrJ

shearn89

6/4/23, 1:49 PM

See my update - you might need to search on `userIdentity.userName`.

samtech 2021

6/4/23, 3:13 PM

still no result output with this code : | filter userIdentity.userName == "g2" | sort @timestamp desc | limit 20

shearn89

6/4/23, 4:20 PM

Well, you'll have to try to narrow down the search to identify the fields to search for then. If you know roughly when the activity occurred then you can start there. Or test it with another IAM user to confirm it works. Also check the username is the same as in IAM - is it just 'g2'?

samtech 2021

6/8/23, 2:28 PM

Thanks shearn89 ,I know the date/time the user executes and the resource (S3) but that is all (no bucket, no IP, etc). Is there anything we can do with that information?

shearn89

6/8/23, 2:46 PM

You'll have to start with a search over that time (e.g. 5 minutes for that period). Then filter down by service and dig into the logs. I can't give you step by step for exploring your own data, you'll have to look at the events and start to filter through it.

samtech 2021

6/10/23, 12:06 PM

HelIo shearn89, I did that and I am able to find the desired result with the other IAM users, but not with that specific user "g2", still not able to figure out why?

shearn89

6/10/23, 12:08 PM

Is G2 definitely an IAM user, accessing via access keys? Or is it running on an EC2 instance using an instance role? Or assuming a role on the command line?

samtech 2021

6/10/23, 1:31 PM

Hello shearn89 , Yes right,"g2” Is an IAM user and has Administrator Access. The user does not have console management access.

shearn89

6/10/23, 1:41 PM

The search is case sensitive. Have you been searching for `G2` when the user is `g2`? Otherwise I'm out of ideas. If you can find other user's activity then CloudTrail is working as intended.

samtech 2021

6/10/23, 1:50 PM

shearn89, I'm searching with exact same IAM username, but no result. Yes, the query is working fine for other users. Is there any possibility that is this a cron?

shearn89

6/10/23, 1:52 PM

It doesn't matter, if it's a cron thing then it should still be logged in CloudTrail, unless it's not actually happening as the G2 user but some other user.

shearn89

6/10/23, 1:52 PM

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/134016/discussion-between-shearn89-and-samtech-2021).

samtech 2021

6/23/23, 2:54 PM

Hello shearn89, Based on the Athena Queries, I’m able to find “g2” IAM user activities including IP addresses. but from the results looks like it last was used in Oct 2021 but the IAM logs it as access today, can you advise why it is or How to diagnose it?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: S3 Logs event Issue

TH: ปัญหาเหตุการณ์ S3 Logs

RO: S3 Înregistrează problema evenimentului

RU: Проблема с журналом событий S3

VI: Sự cố sự kiện Nhật ký S3

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.