如何使用AWS CLI启用S3对象记录到Cloud Trail?
[英]How do you enable S3 Object Logging to Cloud Trail using AWS CLI?
问题描述
Its possible to do object logging on a S3 bucket to Cloud trail using the following guide, but this is through the console. 
可以使用以下指南在S3存储桶上将对象记录到Cloud Trail,但这是通过控制台进行的。
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html
I've been trying to figure out a way to do this via the cli since want to do this for many buckets but haven't had much luck. 我一直想通过cli来找到一种方法,因为它想在很多桶中都可以使用,但是运气还不太好。 I've setup a new cloud trail on my account and would like to map it to s3 buckets to do object logging. 我在帐户上设置了一条新的云线索,并希望将其映射到s3存储桶以进行对象记录。 Is there a cli for this? 有这个cli吗?
# This is to grant s3 log bucket access (no link to cloudtrail here)
aws s3api put-bucket-logging
2 个解决方案
解决方案1
3 已采纳 2019-03-27 20:48:00
It looks like you'll need to use the CloudTrail put_event_selectors() command: 看来您需要使用CloudTrail put_event_selectors()命令:
DataResources
CloudTrail supports data event logging for Amazon S3 objects and AWS Lambda functions.
(dict) : The Amazon S3 buckets or AWS Lambda functions that you specify in your event selectors for your trail to log data events.
Do a search for object-level in the documentation page . 在文档页面中搜索object-level 。
解决方案2
1 2019-09-28 22:32:41
Disclaimer: The comment by puji in the accepted answer works. 免责声明: puji在接受的答案作品中的评论。 This is an expansion of that answer with the resources. 这是资源解决方案的扩展。
Here is the AWS documentation on how to do this through the AWS CLI 这是有关如何通过AWS CLI执行此操作的AWS文档
https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html
The specific CLI command you are interested is the following from the above documentation. 您感兴趣的特定CLI命令是上述文档中的以下内容。 The original documentation lists two objects in the same bucket. 原始文档在同一存储桶中列出了两个对象。 I have modified it to cover all the objects in two buckets. 我已经对其进行了修改,以涵盖两个存储桶中的所有对象。
aws cloudtrail put-event-selectors --trail-name TrailName --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::mybucket1/","arn:aws:s3:::mybucket2/"]}]}]'
If you want all the S3 buckets in your AWS accounts covered you can use arn:aws:s3::: instead of list of bucket arns like the following. 如果您希望覆盖AWS账户中的所有S3存储桶,则可以使用arn:aws:s3:::代替存储桶arn:aws:s3:::列表,如下所示。
aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.