クロスアカウントS3バケット間コピー時にコピー元AWSアカウントの CloudTrail にログに記録されるログを調べたメモ。コピー先アカウントの EC2 から AWS CLI(aws s3 cp) でオブジェクトをコピーしてコピー元アカウントの CloudTrail をダウンロードして jq を使って調べた*1。
構成
実行結果
- バケットポリシーでアカウントID: 987654321098 にアクセス許可する。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Sample", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::987654321098:root" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::test-cp-src", "arn:aws:s3:::test-cp-src/*" ] } ] }
- アカウントID: 987654321098 の EC2 からクロスアカウントS3バケット間コピーを実行する。
$ date;aws s3 cp s3://test-cp-src/1tb.dat s3://test-cp-dst/;date Sat Oct 5 16:39:19 UTC 2019 Completed 764.1 GiB/1000.0 GiB (473.0 MiB/s) with 1 file(s) remaining
- しばらくしてから、アカウントID: 123456789123 の CloudTrail を EC2 にダウンロードして、jq で調べてみる。
$ aws s3 cp --recursive s3://cloudtrail-awslogs-123456789123/AWSLogs/123456789123/CloudTrail/ap-northeast-1/2019/10/05/ ./ $ find . -print0|xargs -0 gunzip
- jq でアカウントID: 987654321098 から発行されたS3イベントを絞り込む
$ find . -name '*.json'|xargs -I{} -n1 cat {}|jq -r '.Records[]|select(.eventSource=="s3.amazonaws.com" and .userIdentity.accountId=="987654321098")' (中略) { "eventVersion": "1.05", "userIdentity": { "type": "AWSAccount", "principalId": "...", "accountId": "987654321098" }, "eventTime": "2019-10-05T16:39:20Z", "eventSource": "s3.amazonaws.com", "eventName": "HeadObject", "awsRegion": "ap-northeast-1", "sourceIPAddress": "172.31.**.**", "userAgent": "[aws-cli/1.16.86 Python/2.7.14 Linux/4.14.77-81.59.amzn2.x86_64 botocore/1.12.76]", "requestParameters": { "bucketName": "test-cp-src", "Host": "test-cp-src.s3.ap-northeast-1.amazonaws.com", "key": "1tb.dat" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "...", "bytesTransferredOut": 0 }, "requestID": "F705D7B2ADC4F70C", "eventID": "62fd88ce-5a22-44bf-9d18-31b94afe072b", "readOnly": true, "resources": [ { "type": "AWS::S3::Object", "ARN": "arn:aws:s3:::test-cp-src/1tb.dat" }, { "accountId": "123456789123", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::test-cp-src" } ], "eventType": "AwsApiCall", "recipientAccountId": "123456789123", "sharedEventID": "aeb733a0-4f11-4689-93d7-5027473e4ce0", "vpcEndpointId": "vpce-..." }
- jq で実行時間帯のイベントソースがS3のログを見てみる。
$ find . -name '*.json'|xargs -I{} -n1 cat {}|jq -r '.Records[]|select(.eventSource=="s3.amazonaws.com" and .awsRegion=="ap-northeast-1" and .eventTime > "2019-10-05T16:00")|@text "\(.eventTime)\t\(.eventName)\t\(.requestParameters.bucketName)\t\(.requestParameters.key)\t\(.sourceIPAddress)\t\(.sharedEventID)\t\(.requestID)"'|sort -k1 2019-10-05T16:39:20Z HeadObject test-cp-src 1tb.dat 172.31.**.** aeb733a0-....-....-....-........4ce0 F7.............. 2019-10-05T16:57:05Z HeadBucket test-cp-src null **.0.3.*** null 36.............. 2019-10-05T16:57:05Z HeadBucket test-cp-src null **.0.3.*** null 83.............. 2019-10-05T16:57:05Z HeadBucket test-cp-src null **.0.3.*** null D4.............. 2019-10-05T16:57:05Z HeadBucket test-cp-src null **.0.3.*** null E9.............. 2019-10-05T16:57:05Z HeadBucket test-cp-src null **.0.3.*** null F5.............. 2019-10-05T16:57:06Z ListObjects test-cp-src null **.0.3.*** null E0..............