AWS S3 File Integrity Monitoring
Know when Critical Files have been ACCESSED or MODIFIED
Published in
2 min readJan 9, 2017
Architecture
- AWS has now capabilities for putting object level access into cloudtrail events , so we use that
- The architecture then uses cloudwatch rules to capture relevant eventNames and calls a lambda function to do the rest of the job
- The lambda function then parses the output of the cloudwatch to log which file has been modified by which user and which from source IP
Scenario
You have a S3 bucket (fimfilesjan7) that has PCI or HIPAA data and you want to monitor and log who is accessing them and get alerted when accessed by wrong users
Events Generated
The following are the events are generated whe
- Event Name GetObject gets generated into Cloudtrail when a file is accessed
- Event Name PutObject gets generated into Cloudtrail when a file is removed or a new file is put into a bucket
Steps
- Create a S3 bucket — fimfilejan7
- Create a Trail select read/write events in event selector
- Clone the s3fim code — git clone https://github.com/vevasa/s3fim
- zip the files zip -r s3fim.zip
- create a lambda function
- Create a cloud watch rule to capture GetObject and PutObject and select the just uploaded lambda job
- Copy a file into the bucket
- Lambda should have put the bucket name into logs -