Investigating CloudTrail for S3 PutBucketNotification

August 22, 2016 #aws #cloudtrail #s3

I was investigating the types of CloudTrail events that are available for S3. However, when I was comparing Services Supported by CloudTrail API Activity History against the s3api — AWS CLI 1.10.58 Command Reference, I noticed something that confused me.

CloudTrail will log a bucket level API event for PutBucketNotification, but the CLI has s3api commands for both put-bucket-notification and put-bucket-notification-configuration. What is the difference? Is the later not logged to CloudTrail? Digging into the documentation, I saw this description for put-bucket-notification:

Deprecated, see the PutBucketNotificationConfiguraiton operation.

I tried it out and see what got logged. First, I created a blank bucket notification configuration file:

{  
    "TopicConfigurations": [],
    "QueueConfigurations": [],
    "LambdaFunctionConfigurations": []  
}

Then I used the s3api CLI to put this configuration onto my S3 bucket:

$ aws --profile saml s3api put-bucket-notification-configuration --bucket kjh-encryption-test1 --notification-configuration file://bucket-notification-configuration-blank.json

After a couple minutes, the event appears in CloudTrail as a PutBucketNotification. Here’s the raw JSON you see if you click “View event”:

{  
   "eventVersion":"1.03",  
   "userIdentity":{  
      "type":"AssumedRole",  
      "principalId":"AROAXXXXXXXXXXXXXXXXX:kevin.hakanson@example.com",  
      "arn":"arn:aws:sts::123456789012:assumed-role/PowerUser/kevin.hakanson@example.com",  
      "accountId":"123456789012",  
      "accessKeyId":"ASIAXXXXXXXXXXXXXXXX",  
      "sessionContext":{  
         "attributes":{  
            "mfaAuthenticated":"false",  
            "creationDate":"2016-08-23T01:58:41Z"  
         },  
         "sessionIssuer":{  
            "type":"Role",  
            "principalId":"AROAXXXXXXXXXXXXXXXXX",  
            "arn":"arn:aws:iam::123456789012:role/PowerUser",  
            "accountId":"123456789012",  
            "userName":"PowerUser"  
         }  
      }  
   },  
   "eventTime":"2016-08-23T02:24:27Z",  
   "eventSource":"s3.amazonaws.com",  
   "eventName":"PutBucketNotification",  
   "awsRegion":"us-west-2",  
   "sourceIPAddress":"198.179.137.232",  
   "userAgent":"[aws-cli/1.10.43 Python/2.7.10 Darwin/14.5.0 botocore/1.4.33]",  
   "requestParameters":{  
      "bucketName":"kjh-encryption-test1",  
      "NotificationConfiguration":{  
         "xmlns":"http://s3.amazonaws.com/doc/2006-03-01/"  
      }  
   },  
   "responseElements":null,  
   "requestID":"BABEFFD87216E573",  
   "eventID":"3fb71544-ab01-433b-94df-651b808348fe",  
   "eventType":"AwsApiCall",  
   "recipientAccountId":"123456789012"  
}

Bonus: If you noticed the typo above from the AWS CLI documentation, I created Issue #2127 · aws/aws-cli · GitHub.