WKLD.07 Log data events for S3 buckets with sensitive data

By default, AWS CloudTrail captures management events, which are events that create, modify, or delete resources in your account. This does not include read or write operations on individual objects in Amazon S3 buckets. To support investigation during a security event, for detection and auditing purposes, log data events for Amazon S3 buckets that store sensitive or business-critical data.

To log data events for trails

Open the CloudTrail console.
In the navigation pane, choose Trails, and then choose a trail name.
In General details, choose Edit to change the following settings (you cannot change the name of a trail).
1. In Data events, choose Edit.
2. For Data event source, choose S3.
3. For All current and future S3 buckets, clear Read and Write to deselect the default selection.
4. In Individual bucket selection, choose the bucket on which to log data events. To add more buckets, choose Add bucket.
5. Choose to log Read events (such as GetObject), Write events (such as PutObject), or both.
6. Choose Update trail.

Note

Additional charges apply for logging CloudTrail data events. For more information, see AWS CloudTrail pricing.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

WKLD.06 Use Systems Manager instead of SSH or RDP

WKLD.08 Encrypt Amazon EBS volumes