WKLD.07 – Log data events for S3 buckets with sensitive data - AWS Prescriptive Guidance

WKLD.07 – Log data events for S3 buckets with sensitive data

By default, AWS CloudTrail captures management events, events that create, modify, or delete resources in your account. These management events do not capture read or write operations to individual objects in Amazon Simple Storage Service buckets. During a security event, it is important to capture unauthorized data access or use at an individual record or object level. Use CloudTrail to log data events for any S3 buckets that store sensitive or business-critical data, for detection and auditing purposes.


Additional charges apply for logging data events. For more information, see AWS CloudTrail pricing.

To log data events for trails
  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/

  2. In the navigation pane, choose Trails, and then choose a trail name.

  3. In General details, choose Edit to change the following settings. You cannot change the name of a trail.

    1. In Data events, choose Edit.

    2. For Data event source, choose S3.

    3. For All current and future S3 buckets, clear Read and Write.

    4. In Individual bucket selection, browse for the bucket on which to log data events. You can select multiple buckets in this window. Choose Add bucket to log data events for more buckets. Choose to log Read events, such as GetObject, Write events, such as PutObject, or both.

    5. Choose Update trail.