创建CloudWatch警报以通知有关将S3对象设置为公共的通知

Question

I want to create on CloudWatch a metric filter and an alarm based on it to notify me about S3 events, specially when a file or a bucket is set to public. 我想在CloudWatch上创建一个指标筛选器和一个基于该指标的警报，以通知我有关S3事件的信息，尤其是在文件或存储桶设置为公共时。 This is the metric filter I used to create the metric: 这是我用来创建指标的指标过滤器：

{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutObjectAcl)) && (($.requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.type = Group ))} {（$ .eventSource = s3.amazonaws.com）&&（（$ .eventName = PutBucketAcl）||（$ .eventName = PutObjectAcl））&&（（$ .requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.type = Group））}

I tested this pattern by putting the following Custom log data : 我通过放置以下Custom log data测试了此pattern ：

{
    "Records": [
    {
        "eventVersion": "1.03",
        "userIdentity": {
            "type": "IAMUser",
            "principalId": "111122223333",
            "arn": "arn:aws:iam::111122223333:user/myUserName",
            "accountId": "111122223333",
            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
            "userName": "myUserName"
        },
        "eventTime": "2015-08-26T20:46:31Z",
        "eventSource": "s3.amazonaws.com",
        "eventName": "DeleteBucketPolicy",
        "awsRegion": "us-west-2",
        "sourceIPAddress": "127.0.0.1",
        "userAgent": "[]",
        "requestParameters": {
            "bucketName": "myawsbucket"
        },
        "responseElements": null,
        "requestID": "47B8E8D397DCE7A6",
        "eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8",
        "eventType": "AwsApiCall",
        "recipientAccountId": "111122223333"
    },
    {
       "eventVersion": "1.03",
       "userIdentity": {
            "type": "IAMUser",
            "principalId": "111122223333",
            "arn": "arn:aws:iam::111122223333:user/myUserName",
            "accountId": "111122223333",
            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
            "userName": "myUserName"
        },
      "eventTime": "2015-08-26T20:46:31Z",
      "eventSource": "s3.amazonaws.com",
      "eventName": "PutBucketAcl",
      "awsRegion": "us-west-2",
      "sourceIPAddress": "",
      "userAgent": "[]",
      "requestParameters": {
          "bucketName": "",
          "AccessControlPolicy": {
              "AccessControlList": {
                  "Grant": {
                      "Grantee": {
                          "xsi:type": "Group",
                          "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
                          "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
                       },
                      "Permission": "FULL_CONTROL"
                   }
              },
              "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
              "Owner": {
                  "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
              }
          }
      },
      "responseElements": null,
      "requestID": "BD8798EACDD16751",
      "eventID": "607b9532-1423-41c7-b048-ec2641693c47",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    },
    {
      "eventVersion": "1.03",
      "userIdentity": {
          "type": "IAMUser",
          "principalId": "111122223333",
          "arn": "arn:aws:iam::111122223333:user/myUserName",
          "accountId": "111122223333",
          "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
          "userName": "myUserName"
        },
      "eventTime": "2015-08-26T20:46:31Z",
      "eventSource": "s3.amazonaws.com",
      "eventName": "GetBucketVersioning",
      "awsRegion": "us-west-2",
      "sourceIPAddress": "",
      "userAgent": "[]",
      "requestParameters": {
          "bucketName": "myawsbucket"
      },
      "responseElements": null,
      "requestID": "07D681279BD94AED",
      "eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657",
      "eventType": "AwsApiCall",
      "recipientAccountId": "111122223333"
    }
  ]
}

I clicked Test Pattern and I get this message: 我单击“测试模式”，然后收到以下消息：

Results Found 0 matches out of 50 event(s) in the sample log. 找到的结果样本日志中的50个事件中有0个匹配。

Is the metric filter proper and correct ? metric filter是否正确正确？ I'm supposed to have one result but it is not coming up. 我应该有一个结果，但是没有结果。

Answer 1

Calculating whether a policy is providing open access is quite complex, due to the many ways that rules can be specified in the Bucket Policy (for example, wildcards can provide access). 由于可以在存储桶策略中指定规则的多种方式（例如，通配符可以提供访问权限），因此计算策略是否提供开放访问非常复杂。

An easier approach would be to use the Amazon S3 Bucket Permissions check in Trusted Advisor: 一种更简单的方法是在Trusted Advisor中使用Amazon S3存储桶权限检查：

Checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions or allow access to any authenticated AWS user. 检查Amazon Simple Storage Service（Amazon S3）中具有开放访问权限或允许访问任何经过身份验证的AWS用户的存储桶。

You can then Monitor Trusted Advisor Check Results with Amazon CloudWatch Events . 然后，您可以使用Amazon CloudWatch Events监视Trusted Advisor检查结果。

However, that particular check is not included in the Free Tier for Trusted Advisor. 但是，该特定检查未包含在“可信顾问的免费套餐”中。 You would need to be on a Support Plan for that check to operate. 您需要具有支持计划才能进行该检查。

The Amazon S3 console was also recently updated -- it now clearly shows any buckets with public permissions. Amazon S3控制台最近也进行了更新-现在可以清楚地显示具有公共权限的所有存储桶。

创建CloudWatch警报以通知有关将S3对象设置为公共的通知

问题描述

1 个解决方案

解决方案1
0 2017-11-14 11:08:40

创建CloudWatch警报以通知有关将S3对象设置为公共的通知

问题描述

1 个解决方案

解决方案1 0 2017-11-14 11:08:40

解决方案1
0 2017-11-14 11:08:40