I would like to enable CloudTrail Data Events just for Delete events for just couple of S3 buckets. I have the following selector:
[
{
"name": "Deletes CT selector",
"fieldSelectors": [
{
"field": "eventCategory",
"equals": [
"Data"
]
},
{
"field": "resources.type",
"equals": [
"AWS::S3::Object"
]
},
{
"field": "eventName",
"startsWith": [
"Delete"
]
},
{
"field": "resources.ARN",
"startsWith": [
"arn:aws:s3:::bucket-1/",
"arn:aws:s3:::bucket-2/",
"arn:aws:s3:::bucket-3/"
]
},
{
"field": "readOnly",
"equals": [
"false"
]
}
]
}
]
When I try and test by deleting some object, I can see all other related events prior and after the delete but there is no DeleteObject or DeleteObjects, no Delete events at all. I am loading the logs in Athena and checking there, also manually checked the gzipped json generated by CloudTrails. No Delete events.
Does someone have managed to setup this scenario in CloudTrail?
I thought I had a similar problem, using
startWith=DeleteObjectinstead ofDelete.After a while it turns out events were just delayed. Working setup: