Visualizing where in the world Amazon Simple Storage Service (S3) buckets are being accessed from may help uncover various insights, such as S3 buckets which have been inadvertently granted public access, or whether or not certain content is being consumed and by whom.
You can use this search to visualize what S3 buckets are accessed and from where.
AWS: Access logs
- Configure the Splunk Add-on for Amazon Web Services.
- Ensure that your deployment is ingesting AWS data through one of the following methods:
- Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work fine.
- Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into Splunk is the easier and more scalable method.
- Run the following search:
index="AWS-INDEX" sourcetype="aws:s3:accesslogs" | iplocation remote_ip | geostats count BY bucket_name
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="<AWS index name>" sourcetype="aws:s3:accesslogs"||Search the index(s) where AWS data is stored filtered to just the AWS access logs.|
|| iplocation remote_ip||Enrich the data with geographic information related to the remote_ip (the IP address that was used to access the S3 bucket).|
|| geostats count BY bucket_name||Plot the access on a map per each location and bucket_name.|
Use the results of this search to verify that access to your S3 buckets is legitimate. Investigate further as needed.
You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.