Query Details

AWS Cloud Trail Aws Disable Bucket Versioning

Query

AWSCloudTrail
| where EventName has "PutBucketVersioning"
| where tostring(todynamic(RequestParameters)["VersioningConfiguration"]["Status"]) == "Suspended"
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to S3 bucket versioning. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the AWSCloudTrail logs, which contain records of AWS API calls.

  2. Filter Events: The query filters these logs to find events where the EventName includes "PutBucketVersioning". This event is related to changes in the versioning configuration of an S3 bucket.

  3. Check Versioning Status: It further filters these events to find instances where the versioning status was set to "Suspended". This means the query is looking for actions that have suspended versioning on an S3 bucket.

  4. Invoke AWS Identity Role: The query uses the invoke AWSIdentityRole() function, which likely enriches the data with additional identity-related information.

  5. Select Columns: Finally, it selects and projects a specific set of columns to display, including:

    • TimeGenerated: When the event was logged.
    • UserIdentityType, Identity, ActorRole: Information about the user or entity that performed the action.
    • UserIdentityAccountId, UserIdentityAccountName: Account details of the user.
    • RecipientAccountId, RecipientAccountName: Account details of the recipient.
    • AWSRegion: The AWS region where the event occurred.
    • SessionCreationDate: When the session was created.
    • UserIdentityPrincipalid, UserIdentityArn: Additional identity information.
    • SourceIpAddress: The IP address from which the request was made.
    • EventSource, EventTypeName, EventName: Details about the event.
    • ManagementEvent, ReadOnly: Flags indicating the nature of the event.
    • ErrorCode, ErrorMessage: Any errors that occurred during the event.
    • RequestParameters, ResponseElements: Details of the request and response.
    • Resources: Resources involved in the event.
    • SessionMfaAuthenticated: Whether multi-factor authentication was used.
    • UserAgent: The user agent string of the client that made the request.
    • AwsEventId: A unique identifier for the event.

In summary, this query is used to track and analyze events where S3 bucket versioning is suspended, providing detailed information about the event and the identities involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AWSCloudTrail

Operators

AWSCloudTrail|wherehastostringtodynamic==invokeAWSIdentityRoleproject

Actions

GitHub