我想在CloudWatch上创建一个指标过滤器和一个基于它的警报来通知我有关S3事件的信息,特别是当文件或存储桶设置为公共时。这是我用于创建指标的指标过滤器:
{($ .eventSource = s3.amazonaws.com)&& (($ .eventName = PutBucketAcl) || ($ .eventName = PutObjectAcl))&& (($ .requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.type = Group))}
我通过添加以下pattern来测试此Custom log data:
{
"Records": [
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteBucketPolicy",
"awsRegion": "us-west-2",
"sourceIPAddress": "127.0.0.1",
"userAgent": "[]",
"requestParameters": {
"bucketName": "myawsbucket"
},
"responseElements": null,
"requestID": "47B8E8D397DCE7A6",
"eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketAcl",
"awsRegion": "us-west-2",
"sourceIPAddress": "",
"userAgent": "[]",
"requestParameters": {
"bucketName": "",
"AccessControlPolicy": {
"AccessControlList": {
"Grant": {
"Grantee": {
"xsi:type": "Group",
"xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
"ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
},
"Permission": "FULL_CONTROL"
}
},
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"Owner": {
"ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
}
}
},
"responseElements": null,
"requestID": "BD8798EACDD16751",
"eventID": "607b9532-1423-41c7-b048-ec2641693c47",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetBucketVersioning",
"awsRegion": "us-west-2",
"sourceIPAddress": "",
"userAgent": "[]",
"requestParameters": {
"bucketName": "myawsbucket"
},
"responseElements": null,
"requestID": "07D681279BD94AED",
"eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
我点击了测试图案,我收到了这条消息:
结果在示例日志中的50个事件中找到0个匹配项。
metric filter是否正确且正确?我应该有一个结果,但它不会出现。
答案 0 :(得分:0)
计算策略是否提供开放访问非常复杂,因为可以在Bucket Policy中指定规则的多种方式(例如,通配符可以提供访问权限)。
更简单的方法是在Trusted Advisor中使用 Amazon S3 Bucket Permissions 检查:
检查Amazon Simple Storage Service(Amazon S3)中具有开放访问权限或允许访问任何经过身份验证的AWS用户的存储桶。
然后您可以Monitor Trusted Advisor Check Results with Amazon CloudWatch Events。
但是,特定检查不包含在Trusted Advisor免费套餐中。您需要在支持计划上才能运行该支票。
最近还更新了Amazon S3控制台 - 它现在清楚地显示了具有公共权限的任何存储桶。