Introduction
Dell EMC ECS (Elastic Cloud Storage) provides enterprise-grade S3-compatible object storage. However, native auditing and visibility into S3 bucket activity are often limited. To solve this, we developed a custom security auditing tool that collects, parses, and visualizes S3 bucket activity logs from ECS using Elasticsearch and Kibana.
The Challenge
- ECS did not offer out-of-the-box, user-friendly dashboards for S3 access auditing
- Security teams had limited insight into:
- Who accessed what bucket and when
- Suspicious patterns like anonymous access, failed actions, or data exfiltration
- Compliance and governance teams needed real-time visibility and historical reports
- Logs were available but in raw, unstructured formats, difficult to search or correlate
The Solution
⚙️Data Ingestion & Processing
- Developed a lightweight log shipper to pull ECS audit logs via syslog or API
- Parsed logs using Logstash pipelines, transforming ECS audit data into structured Elasticsearch documents
- Fields extracted: bucket name, object key, operation (GET, PUT, DELETE), requester IP, user agent, auth status, timestamp
📊Kibana-Based Dashboards
Built a set of security-focused dashboards, including:
- Access Overview
- Top accessed buckets and objects
- Request volume trends by user and IP
- Anomaly Detection
- Frequent failed GET/PUT requests
- Activity outside business hours
- Access from blacklisted regions/IPs
- Compliance Metrics
- Tracking of public/anonymous access
- Logs for all write/delete operations
- SLA dashboards for retention and access history
- Geo-IP Visualization
- Mapped external access by location using ECS log IPs and MaxMind GeoLite2
- Alerting
- Integrated ElastAlert rules for:
- Excessive deletes
- Suspicious access spikes
- Unusual object patterns
- Integrated ElastAlert rules for:
Results
| Area | Before | After |
|---|---|---|
| Audit Visibility | Raw logs only | Real-time dashboards & alerts |
| Anomaly Detection | Manual | Automated with thresholds & trends |
| Data Accessibility | Complex & slow | Fast, full-text search in Kibana |
| Compliance Reporting | Difficult to generate | Pre-built, exportable reports |
| SOC Integration | None | Integrated into existing SIEM flows |
Conclusion
This project delivered a powerful, custom security auditing layer on top of Dell EMC ECS, using the Elastic Stack. The solution enables:
- Real-time monitoring of S3 bucket activity
- Detection of misuse or unauthorized access
- Historical analysis for compliance and forensics
Organizations using ECS can now achieve the same level of observability and threat detection as in modern S3-compatible cloud environments – with full control, no vendor lock-in, and seamless integration with existing SOC tools.
