I'm currently working to meet a compliance requirement that involves logging the intent behind data access in S3. The data access is done by users who are either IAM users or Cognito identities. I initially tried using CloudTrail to capture this intent by including session context, such as principal and session tags. However, I've hit a limitation: CloudTrail doesn't support principal tags for S3 data events in a useful way. So, I'm looking for AWS-native solutions for S3 audit logging that can help capture or associate user intent when data is accessed. I'd really appreciate any advice or strategies you might have. Thanks!
3 Answers
Have you considered using S3 Metadata tables? They might help with what you're trying to achieve. You can join the journal with custom data during object creation. Check out the AWS documentation for more on how that works! Just a thought.
Can you share more details about how your app accesses S3? Are you tracking intent based on the app being used or the actual user? Knowing whether it's via AWS Console, CLI, or through your app might help narrow down the best solution!
We tackled a similar issue at work by embedding intent as S3 object metadata during write or move actions. Basically, when you copy or move an object, use the --metadata flag to attach user-defined metadata like change request IDs, operators, purposes, and more. This metadata gets stored with the object and can be viewed in CloudTrail. But, this method won't log intent on read operations—the closest solution for that could be using a proxy layer such as API Gateway and Lambda to enforce users to state their purpose while accessing S3.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads