I have enabled CloudTrail using the AWS Management Console and the Amazon S3 Bucket policies are the defaults ones that are created automatically when enabling CloudTrail.
I can find logs about my log-in along with all other even logs but there is no information about log-off. Is there something I need to do for it or its simply not there? Doesn't log-off classify as an event?
Edit 1
I am new to CloudTrail, and trying to understand what is possible and what not. I have a IAM User which only read-write access to one bucket and list all buckets. When using it I invoked aws ec2 describe-instances
I can see in log that errorCode: "Client.UnauthorizedOperation"
, but when I do a aws s3 cp
or aws s3 ls
and its a success, it is not logged. Here is the default bucket policy created.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root"
]
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::MY_BUCKET"
},
{
"Sid": "AWSCloudTrailWrite20131101",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::903692715234:root",
"arn:aws:iam::859597730677:root",
"arn:aws:iam::814480443879:root",
"arn:aws:iam::216624486486:root",
"arn:aws:iam::086441151436:root",
"arn:aws:iam::388731089494:root",
"arn:aws:iam::284668455005:root",
"arn:aws:iam::113285607260:root"
]
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MY_BUCKET/MY_PREFIX/AWSLogs/MY_ACCOUNT_ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
And where and why did that so may Principal
come from - they aren't my accounts, they were created by AWS when I enabled CloudTrail. Are these AWS Accounts that deliver logs to my bucket, should they be there?
Edit 2
From typepad's post, logging for S3 is not yet there. And the log-in that I see is actually because of the AWS Security Token Service (STS) GetSessionToken
call. In case of a log-out from the console it seems there is no call to STS, hence no resulting log.