使用boto3查询AWS CloudTrail以确定哪个IAM用户将文件上传到S3？

Question

I'm trying to develop a way of breaking down S3 by which users/projects using CloudTrail. Does CloudTrail offer the ability to see which IAM user uploaded aa particular object to a bucket?

UPDATE :

I have a CloudTrail turned on that monitors object-level activities (for all s3 buckets, including read and write activities), however, when I try to list "PutObject" events in my update above, it doesn't work (ie the list of events comes up blank).

ct_client = boto3.client('cloudtrail')

response = ct_client.lookup_events(
    LookupAttributes=[
        {
            'AttributeKey': 'EventName',
            'AttributeValue': 'PutObject'
        }],
    StartTime=datetime(2018, 3, 1),
    EndTime=datetime.now(),
    MaxResults=50
)

UPDATE 2

Images of my bucket properties and CloudTrail in the console:

Answer 1

Yes, you can monitor IAM users uploading objects to S3 using CloudTrail. The amount of information that CloudTrail records is extensive.

This document link will give you an intro to CloudTrail S3 logging:

Logging Amazon S3 API Calls by Using AWS CloudTrail

This document link will give you detailed information on the events logged by CloudTrail:

CloudTrail Log Event Reference

Follow this document link to enable Object Level Logging for an S3 Bucket. This is necessary to see APIs such as PutObject:

How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events?

CloudTrail has a Python API. However, you will want to directly process the CloudTrail logs stored in S3.

CloudTrail Python Boto3 SDK

I prefer to analyze CloudTrail logs using Athena which makes this process easy.

Querying AWS CloudTrail Logs

Answer 2

I don't believe the Data Events are visible in the same way as Management Events. That's certainly the case if you view the Event History in the AWS Console.

As suggested elsewhere, laying an Athena table over the s3 location where the data events are stored works well - something like this will then tell you who/what uploaded the object:

SELECT
    useridentity
,   json_extract_scalar(requestparameters,'$.bucketName')
,   json_extract_scalar(requestparameters,'$.key')
FROM cloudtrail_logs
WHERE eventname IN ('PutObject')
AND json_extract_scalar(requestparameters,'$.bucketName') = 'xxx'
AND json_extract_scalar(requestparameters,'$.key') = 'yyy';

Where cloudtrail_logs is created in line with the docs at: https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

useridentity will not always be an IAM user - it may be an AWS Service, an external account, an assumed role as well - you can use the .type element to filter as required or simply pull all the elements.

Depending on the number of objects you have in S3 / the size of your cloudtrail_logs in S3 you may want to refine the s3 location of the cloudtrail_logs table by date - eg:

s3://<BUCKETNAME>/AWSLogs/<ACCOUNTNUMBER>/CloudTrail/<REGION>/2018/08/17

If you wanted you could execute the Athena query using boto3 saving the output to an S3 location and then pull that data from S3 also using boto3.