I've set up AWS CloudTrail but I'm struggling to get logs for the 'DeleteObject' event through the API. I can query logs for 'PutObject' and 'DeleteObjects' just fine, but 'DeleteObject' isn't showing up. Here's the query I'm using: { "QueryStatement": "SELECT * FROM ***-4229-429d-8589-*** WHERE eventSource = 's3.amazonaws.com' AND eventName='DeleteObject' ORDER BY eventTime DESC LIMIT 10" }. The response I get shows no results with the following details: { "QueryResultRows": [], "QueryStatistics": { "BytesScanned": 53297820, "ResultsCount": 0, "TotalResultsCount": 0 }, "QueryStatus": "FINISHED" }. Any ideas on what I might be missing?
3 Answers
If you're mainly interested in metrics rather than the actual request details, you could consider using S3 Storage Lens for those insights.
Are you actually performing any 'DeleteObject' operations on the bucket? If those operations aren't being called, they won't be logged at all.
Make sure that DataEvents are enabled on your CloudTrail, because you won’t get these API calls otherwise. Just a heads-up, DataEvents can get quite pricey, so using S3 access logs might be a better option.
I have DataEvents enabled and all the necessary permissions. I just want to fetch the filename of the deleted object through the CloudTrail log.