Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Monitor HTTP API requests to S3

The blog post AWS S3 Denial of Wallet amplification attack | by Ben Liesfeld | Feb, 2024 | Limbus News mentions:

You could monitor HTTP API requests to your S3 buckets which is
possible with a delay of a few hours. If you see an unusually high
amount of API requests, you could prohibit access to the resource.

How do I monitor HTTP API requests to S3?

Tags:

2

Answers


  1. 0

    You can achieve this using server access logging of AWS S3 service following below steps.

    • Sign in to AWS Console
    • go to the S3 service by clicking on it from the list of available AWS services.
    • From the list of buckets, choose the S3 bucket for which you want to
      enable access logging.
    • Click on the bucket name to access its properties on "Properties" tab.
    • Scroll down to the "Server access logging" section within the
      properties and click "Edit"
    • Check the box labeled "Enable logging" to activate access logging.
      Then, specify the target bucket where you want to store the access
      logs. You can choose an existing bucket or create a new one.
    • Optionally, define permissions for access logs by specifying an IAM
      role that has write access to the target bucket.
    • Select the desired logging format for the access logs. The default
      format is commonly used, but you can customize it if necessary.

    The format of the logs will be as per below by default. Its a typical access log which any webserver captures.

    79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DOC-EXAMPLE-BUCKET1 [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - "GET /DOC-EXAMPLE-BUCKET1?versioning HTTP/1.1" 200 - 113 - 7 - "-" "S3Console/0.4" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader DOC-EXAMPLE-BUCKET1.s3.us-west-1.amazonaws.com TLSV1.2 arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP Yes

    Hope this helps.

    Login or Signup to reply.
  2. 0

    As mentioned in a previous answer, S3 Server Access Logging will allow this data to be captured. To add to this, if your bucket is public the best practice would be to front the S3 bucket with Cloudfront, create a OAI to only allow access to this bucket via Cloudfront and put a WAF infront of your cloudfront distribution. The WAF is more real-time and has intelligent rules that can help thwart a Denial of Wallet attack.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search