Audit S3 APIs
This page describes how to set up an HTTP webhook for S3 audit purposes.
Configuring HTTP webhooks for S3 API operations enables the capture of detailed audit logs, which are essential for analyzing access patterns, supporting security and compliance initiatives, and troubleshooting issues in S3 interactions.
S3 API calls can generate JSON-formatted audit events, which are streamed to target applications such as Splunk for real-time monitoring and analysis. This approach replaces the legacy BucketLogging
S3 APIs with a more robust and scalable auditing solution. Each event provides granular details about the operation, including the request type, object affected, requester identity, and network metadata.
For example, an audit event generated by a PutObject
operation includes fields such as the bucket name, object key, operation status, client IP address, user agent, and the WEKA cluster information that processed the request. These elements are crucial for tracing user activity, validating policy compliance, and performing forensic investigations. By understanding the structure and key fields in these logs, users can ensure that operations conform to expected behavior and promptly identify unauthorized access.
Related topics
Configure audit webhook using the GUI
Configure audit webhook using the CLI
Example: How to use Splunk to audit S3
Example: How to use S3 audit events for tracking and security
Last updated