Skip to main content

 

Splunk Lantern

Geographic access to AWS S3 Buckets

You might want to view the geographic location of accounts accessing your S3 buckets when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Visualizing where in the world Amazon Simple Storage Service (S3) buckets are being accessed from may help uncover various insights, such as S3 buckets which have been inadvertently granted public access, or whether or not certain content is being consumed and by whom.

You can use this search to visualize where and what S3 buckets are accessed.

To optimize the search shown below, you should specify a time range.

  1. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
  2. Run the following search: 
index="AWS-INDEX" sourcetype="aws:s3:accesslogs"
| iplocation remote_ip
| geostats count BY bucket_name

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:s3:accesslogs" Search the index(s) where AWS data is stored filtered to just the AWS access logs. 
| iplocation remote_ip Enrich the data with geographic information related to the remote_ip (the IP address that was used to access the S3 bucket).
| geostats count BY bucket_name Plot the access on a map per each location and bucket_name.

Result

Use the results of this search to verify that access to your S3 buckets is legitimate. Investigate further as needed.

  • Was this article helpful?