AccuKnox S3 Access Audit¶
AccuKnox S3 Access Audit allows you to audit the access of the objects stored in an AWS S3 bucket. With AccuKnox S3 Access Audit, users can understand what operation was performed on S3 objects, the status of the operation, who performed the operation and when the operation was performed on an S3 object.
- We assume that we have the following 5 AWS S3 buckets created:
|Sr.No.||Data Bucket Name||Logs Bucket Name|
Data Buckets are the buckets where we store the actual data. Logs buckets are where the S3 Access logs are written to by AWS S3 Server. Upload some files in all those buckets.
- Create data buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html
- Configure log buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
We also assume that the S3 buckets are not public and are not accessible outside the s3-data-protection's environment.
Upload multiple test files to each of the data buckets:
unzip s3-data-protection-poc.zip cd s3-data-protection-poc/setup update <access_key>, <secret_key> and <region> in upload_files.sh
upload_files.shfor each buckets:
|S. No||Bucket Name||Command|
In order to setup AccuKnox S3 Access Audit perform the following steps:
- Visit AccuKnox Platform
- Login using the email and password.
- Select or create a new workspace
- On the left navigation pane, select Data Protection
- Next, select Data Sources
- Click on the Configure Data Source button at the top right corner
- Choose No for Is the s3 bucket mounted inside a container workload?
- Choose No for Is your S3 access log buckets accessible from outside your private network?
- In our scenario, we do not have S3 bucket objects accessible from outside the private network, hence click on Done.
- Follow the steps here to install the AccuKnox S3 Audit Reporter Agent.
- Once the agent has been configured and is running, it'll start syncing the objects in the data bucket with AccuKnox Platform.
- Now, on the left navigation pane, under Data Protection, click on Sensitive Source Labels
- Enter a value for Label.
- Under S3 BUCKET on the left, select the bucket you want to configure sensitive sources from and select the objects that are sensitive on the right.
- Click on Next.
- We can skip the Configure Flagged Destination step.
- Review the selection and click on Create
Until now, we have configured sensitive sources - the objects we think are sensitive. Now, use the AWS CLI to access the files in the data buckets as mentioned here - POC Scenarios. Then, at the AccuKnox Platform, on the left navigation pane, select S3 Access Logs. Now, you should be able to see the S3 access information.
|BUCKET NAME||The name of the bucket that the request was processed against.|
|TIMESTAMP||The time at which the request was received|
|REQUESTER||The canonical user ID of the requester, or a - for unauthenticated requests|
|KEY||The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter. In simple words, the object path.|
|OPERATION||The operation that was performed in the current request.|
|HTTP STATUS||The numeric HTTP status code of the response.|