AWS cloud watch event pattern to detect S3 buckets creation/modification with public access

Question

I am trying to create an AWS Cloud watch event which will trigger an email whenever a S3 bucket is created or modified to allow public access.

I have created the cloud trail, log stream and am tracking all the S3 events logs. When i am trying to create a custom event by giving the pattern to detect S3 buckets with public access i am not able to fetch any response or the event doesn't get triggered even if i create bucket with public access. Can you help me out with the custom pattern for the same ?

I have tried giving GetPublicAccessBlock, PutPublicAccessBlock etc in event type but no luck. Please suggest accordingly.

Answer 1

you need to do the following in order to receive a notification

1. Enable CloudTrail for management events
2. Create an EventBridge Rule with an event pattern
3. AWS events or EventBridge partner events
4. Use Pattern from AWS Service, Simple Storage Service(S3) and Event Type as "AWS API Call via CloudTrail"

Note: This only works if you are turning off for an existing bucket (not for a new bucket)

The reason being when we create a bucket with public access, there are only two events generated, which are CreateBucket and PutBucketEncryption and they don't seem to have information regarding public access being turned on. However if we create a bucket with no public access then it generates an additional PutBucketPublicAccessBlock event with CreateBucket and PutBucketEncryption.

{
 "source": ["aws.s3"],
 "detail-type": ["AWS API Call via CloudTrail"],
 "detail": {
   "eventSource": ["s3.amazonaws.com"],
   "eventName": ["PutBucketPublicAccessBlock", "DeleteBucketPublicAccessBlock"],
   "requestParameters": {
     "PublicAccessBlockConfiguration": {
       "$or": [{
         "RestrictPublicBuckets": [false]
       }, {
         "BlockPublicPolicy": [false]
       }, {
         "BlockPublicAcls": [false]
       }, {
         "IgnorePublicAcls": [false]
       }]
     }
   }
 }
}