I'm trying to track down which IAM user made changes to one of my S3 buckets and when these changes took place. I thought the S3 console would show who uploaded or modified files, but it only displays object details without user information. I'm looking for guidance on:
1. How to identify which IAM user performed actions (like uploads, deletions, or modifications) in S3.
2. How to find the exact timestamp of those actions.
3. How to set this up to track changes consistently in the future.
I heard that CloudTrail might have this information, but I'm not sure which event names I should be looking for or where in the logs to find user identities. Any tips, sample screenshots, or examples would be greatly appreciated! Thanks!
5 Answers
You’ve got two main options: using CloudTrail or S3 Server Access Logging. Check out the comparison on the AWS documentation to decide which one fits your needs better.
CloudTrail is definitely your best bet! Look for events like PutObject, DeleteObject, and CompleteMultipartUpload. Each event includes a userIdentity section that shows who made the change along with a timestamp. Filtering by bucket name can help reduce noise. Just make sure your trail is set to log data events for your S3 bucket—if it's only logging management events, it won't capture user actions on objects. It might cost a bit more but you'll have the full history of uploads and deletions!
Just a heads up, you'll need to enable CloudTrail data events for S3 to start capturing this data moving forward. If it's not already on, you won't be able to see past events, but once it's enabled, it will log the info you’re looking for!
If you need to track file operations specifically, CloudTrail captures management events that reflect bucket configuration changes. However, for file operations, it’s better to enable CloudTrail data events for S3. Check the AWS documentation linked here for more details and steps on setting it up.
You seem to be asking about data operations (like uploads and deletions) which aren't logged by default. You'll need to turn on either CloudTrail data events or S3 Server Access Logging to capture this info. Do keep in mind that this might increase your costs. For bucket configuration changes, those are logged by default in CloudTrail management events. You can find a complete list of logged events in the AWS documentation.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux