Skip to content

Add CloudTrail S3 admin audit helper #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jamilahmadzai wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add CloudTrail S3 admin audit helper #75

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cfa6fd8
tools: add CloudTrail S3 admin audit helper
jamilahmadzai May 14, 2026
d9eee09
tools: include file path in CloudTrail parse errors
jamilahmadzai May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions docs/security/cloudtrail-s3-admin-audit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# CloudTrail S3 Admin Event Audit

Issue #55 asks for a CloudTrail review of service users that should not be able to change S3 bucket controls. This helper keeps that review offline: maintainers export CloudTrail JSON privately, run the script locally, and share only the redacted summary.

The script focuses on high-risk bucket administration events, including lifecycle, CORS, policy, replication, logging, public access block, ACL, ownership, versioning, and website configuration changes.

## Usage

Run against one CloudTrail JSON file:

```bash
node tools/audit-cloudtrail-s3-admin-events.mjs cloudtrail-export.json
```

Run against a directory of JSON exports and write CSV:

```bash
node tools/audit-cloudtrail-s3-admin-events.mjs ./cloudtrail-exports \
--format csv \
--out cloudtrail-s3-admin-events.csv
```

By default the audit filters to:

- buckets beginning with `studenthub-`
- IAM users `railway-s3-access`, `n8n-s3-access`, and `mediaconverter`

Useful options:

```bash
# Include every bucket in the export.
node tools/audit-cloudtrail-s3-admin-events.mjs ./cloudtrail-exports --all-buckets

# Include every actor in the export.
node tools/audit-cloudtrail-s3-admin-events.mjs ./cloudtrail-exports --all-users

# Audit an additional bucket prefix or user.
node tools/audit-cloudtrail-s3-admin-events.mjs ./cloudtrail-exports \
--bucket-prefix studenthub- \
--bucket-prefix plugn- \
--user railway-s3-access \
--user n8n-s3-access
```

## Supported Exports

The helper accepts:

- CloudTrail `Records` arrays
- raw arrays of event records
- single CloudTrail event objects
- Event History records containing a stringified `CloudTrailEvent`

It walks directories recursively and reads `.json` files only.

## Privacy Boundary

Do not commit raw CloudTrail exports. They can contain source IPs, user agents, resource names, and account metadata.

The report intentionally prints only the last four characters of any `accessKeyId`. It never needs full AWS access keys, secret keys, private candidate data, bucket object contents, or live AWS credentials.

## Verification

The repository includes a synthetic fixture with no real account data:

```bash
node tools/check-cloudtrail-s3-admin-audit.mjs
```

Expected output:

```text
CloudTrail S3 admin audit check passed.
```
Loading