Improving S3 Visibility During Incident Response with CloudTrail
Introduction
A solid AWS incident response plan usually starts with CloudTrail, which logs activity across the AWS environment. It's an essential tool for investigating compromised accounts. However, CloudTrail alone may not provide the full picture.
In a recent incident response case, we were asked to investigate what a threat actor (TA) did inside a breached AWS account. The account’s logging wasn’t fully configured—specifically, we suspected S3 data exfiltration but couldn’t verify it due to a lack of visibility. We couldn't distinguish between normal access key activity and malicious behavior.
This post dives into how to get better visibility using CloudTrail data events and S3 Server Access Logging.
CloudTrail Data Events
CloudTrail data events track high-volume actions like s3:GetObject. These aren’t enabled by default—you must explicitly configure CloudTrail to log them.
When enabled, they provide detailed insight:
- User and access key used
- User agent
- Specific S3 actions taken
- Timestamp and request metadata
This can help identify if a compromised key was used for malicious purposes.
Server Access Logging
S3 Server Access Logs provide additional insight into S3 activity. They include:
- IP address of requester
- Timestamp
- Operation type
- User agent
- User identity
However, they have limitations:
- Not guaranteed to log every request
- No access key info, making attribution harder
- Can log duplicate entries
These logs can be ingested and queried with AWS Athena for quick investigation.
Best Practices for S3 Incident Response Logging
To improve forensic readiness and visibility, consider this checklist:
- Enable Server Access Logging on all S3 buckets (except the bucket that stores logs).
- Assess overall S3 usage:
- If usage is light, enable CloudTrail data events and server access logs across all buckets.
- Prioritize sensitive buckets (e.g., customer records):
- For these, enable both CloudTrail data events and Server Access Logging.
- This provides detailed access and modification logs without overwhelming your log infrastructure.
Balancing cost and visibility is key—log strategically.
For deeper technical guidance, see ramimac.me/s3-logging
Need Help?
If your organization needs to boost its incident response preparedness or improve AWS logging, reach out to Cloud Security Partners. We help teams across industries improve their security posture and response capabilities.
John Poulin is CTO at Cloud Security Partners and has over a decade of experience in software development and application security. He’s worked with Fortune 500 companies and startups on secure code reviews, architecture design, and threat modeling.
Stay in the loop.
Subscribe for the latest in AI, Security, Cloud, and more—straight to your inbox.
