Amazon web services 创建CloudWatch报警,通知将S3对象设置为公共
我想在CloudWatch上创建一个度量过滤器和一个基于它的警报,以通知我S3事件,特别是当文件或存储桶设置为public时。这是我用来创建度量的度量过滤器: {($.eventSource=s3.amazonaws.com)&&($.eventName=PutBucketAcl) ||($.eventName=PutObjectAcl))&& (($.requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.type) =组} 我通过放置以下Amazon web services 创建CloudWatch报警,通知将S3对象设置为公共,amazon-web-services,amazon-s3,metrics,amazon-cloudwatchlogs,amazon-cloudtrail,Amazon Web Services,Amazon S3,Metrics,Amazon Cloudwatchlogs,Amazon Cloudtrail,我想在CloudWatch上创建一个度量过滤器和一个基于它的警报,以通知我S3事件,特别是当文件或存储桶设置为public时。这是我用来创建度量的度量过滤器: {($.eventSource=s3.amazonaws.com)&&($.eventName=PutBucketAcl) ||($.eventName=PutObjectAcl))&& (($.requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.ty
自定义日志数据来测试此模式
:
{
"Records": [
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "DeleteBucketPolicy",
"awsRegion": "us-west-2",
"sourceIPAddress": "127.0.0.1",
"userAgent": "[]",
"requestParameters": {
"bucketName": "myawsbucket"
},
"responseElements": null,
"requestID": "47B8E8D397DCE7A6",
"eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "PutBucketAcl",
"awsRegion": "us-west-2",
"sourceIPAddress": "",
"userAgent": "[]",
"requestParameters": {
"bucketName": "",
"AccessControlPolicy": {
"AccessControlList": {
"Grant": {
"Grantee": {
"xsi:type": "Group",
"xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",
"ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
},
"Permission": "FULL_CONTROL"
}
},
"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
"Owner": {
"ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example"
}
}
},
"responseElements": null,
"requestID": "BD8798EACDD16751",
"eventID": "607b9532-1423-41c7-b048-ec2641693c47",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.03",
"userIdentity": {
"type": "IAMUser",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "myUserName"
},
"eventTime": "2015-08-26T20:46:31Z",
"eventSource": "s3.amazonaws.com",
"eventName": "GetBucketVersioning",
"awsRegion": "us-west-2",
"sourceIPAddress": "",
"userAgent": "[]",
"requestParameters": {
"bucketName": "myawsbucket"
},
"responseElements": null,
"requestID": "07D681279BD94AED",
"eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
我单击了测试模式,得到以下消息:
结果在示例日志中的50个事件中找到0个匹配项
公制过滤器是否正确?我应该有一个结果,但它不会出现。计算一个策略是否提供开放访问非常复杂,因为在Bucket策略中可以通过多种方式指定规则(例如,通配符可以提供访问)
一种更简单的方法是使用Amazon S3 Bucket Permissions签入可信顾问:
检查Amazon简单存储服务(Amazon S3)中具有开放访问权限或允许访问任何经过身份验证的AWS用户的存储桶
那你就可以了
但是,该特定检查不包括在Trusted Advisor的免费层中。您需要支持计划才能执行该检查
Amazon S3控制台最近也进行了更新——它现在清楚地显示了任何具有公共权限的存储桶。计算策略是否提供开放访问非常复杂,因为在存储桶策略中可以通过多种方式指定规则(例如,通配符可以提供访问)
一种更简单的方法是使用Amazon S3 Bucket Permissions签入可信顾问:
检查Amazon简单存储服务(Amazon S3)中具有开放访问权限或允许访问任何经过身份验证的AWS用户的存储桶
那你就可以了
但是,该特定检查不包括在Trusted Advisor的免费层中。您需要支持计划才能执行该检查
Amazon S3控制台最近也进行了更新——它现在清楚地显示了任何具有公共权限的存储桶。是的,我知道Trust Advisor提供了这一功能,但我需要SNS向我的邮箱发送通知,因为我管理许多AWS帐户,很难逐个帐户检查Trust Advisor帐户。所有帐户的CloudTrail事件都集中在一个bucket中,我需要在其上设置度量过滤器。我需要该警报,即使它很复杂。根据上面的链接,Trusted Advisor可以触发CloudWatch事件,它可以发送SNS通知消息。我们正在eu-west-1地区工作,那里没有信托顾问规则。正确。如文档中所述,您必须使用us-east-1
中的Amazon CloudWatch事件来访问Trusted Advisor。然而,Amazon S3的Trusted Advisor检查是全球性的,因此它们在us-east-1
中仍然可用。是的,我知道Trust Advisor提供了这一功能,但我需要SNS通知我的邮箱,因为我管理许多AWS帐户,很难逐个帐户检查Trust Advisor帐户。所有帐户的CloudTrail事件都集中在一个bucket中,我需要在其上设置度量过滤器。我需要该警报,即使它很复杂。根据上面的链接,Trusted Advisor可以触发CloudWatch事件,它可以发送SNS通知消息。我们正在eu-west-1地区工作,那里没有信托顾问规则。正确。如文档中所述,您必须使用us-east-1
中的Amazon CloudWatch事件来访问Trusted Advisor。但是,Amazon S3的Trusted Advisor检查是全球性的,因此它们仍然可以在us-east-1
中使用。