Investigating CloudTrail for S3 PutBucketNotification

August 22, 2016 #aws #cloudtrail #s3

I was investigating the types of CloudTrail events that are available for S3.  However, when I was comparing Services Supported by CloudTrail API Activity History against the s3api — AWS CLI 1.10.58 Command Reference, I noticed something that confused me.

CloudTrail will log a bucket level API event for PutBucketNotification, but the CLI has s3api commands for both put-bucket-notification and put-bucket-notification-configuration.  What is the difference?  Is the later not logged to CloudTrail? Digging into the documentation, I saw this description for put-bucket-notification:

Deprecated, see the PutBucketNotificationConfiguraiton operation.

I tried it out and see what got logged.  First, I created a blank bucket notification configuration file:

    "TopicConfigurations": [],
    "QueueConfigurations": [],
    "LambdaFunctionConfigurations": []  

Then I used the s3api CLI to put this configuration onto my S3 bucket:

$ aws --profile saml s3api put-bucket-notification-configuration --bucket kjh-encryption-test1 --notification-configuration file://bucket-notification-configuration-blank.json

After a couple minutes, the event appears in CloudTrail as a PutBucketNotification. Here’s the raw JSON you see if you click “View event”:

   "userAgent":"[aws-cli/1.10.43 Python/2.7.10 Darwin/14.5.0 botocore/1.4.33]",  

Bonus:  If you noticed the typo above from the AWS CLI documentation, I created Issue #2127 · aws/aws-cli · GitHub.

Kevin Hakanson

Multi-Cloud Certified Architect | DevSecOps | AppSec | Web Platform | Speaker | Learner | Builder
Twitter | LinkedIn | GitHub | Stack Overflow | Credly

© 2024 Kevin Hakanson (built with Gatsby)