Open menu
-->

AWS CloudTrail insecure buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Check for any AWS CloudTrail logging buckets that are publicly accessible, in order to determine if your AWS account could be at risk.

This rule resolution is part of the Cloud Conformity Security Package

Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

Audit

To determine if your CloudTrail logging buckets are publicly accessible, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel: Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone". The grantee called "Everyone" is the AWS S3 predefined group that grants anonymous access. If this grantee has one or more permissions enabled: If this grantee has one or more permissions enabled, the selected S3 bucket is publicly accessible and rendered as insecure.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run get-bucket-acl command (OSX/Linux/UNIX) to list the selected S3 bucket grantee permissions:

aws s3api get-bucket-acl
	--bucket cloudtrail-global-logging

04The command output should expose the bucket grantee users and groups permissions. If the grantee group URI is “http://acs.amazonaws.com/groups/global/AllUsers” and it has one or more permissions associated (READ, WRITE, READ_ACP, WRITE_ACP), the selected bucket is publicly accessible and insecure.

{

    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ_ACP"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE_ACP"
        }
    ]
}

Remediation / Resolution

To remove public access to your CloudTrail logging bucket, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone".

09 Uncheck all the permissions granted to "Everyone" predefined group:

Uncheck all the permissions granted to 'Everyone'

or delete the group using the x button from the right:

delete the group using the x button from the right

10 Click Save to save the new ACL (Access Control List) configuration. This removes all public access granted to the selected S3 bucket.

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02The command output should expose the name of each S3 bucket used for logging data in CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run put-bucket-acl command (OSX/Linux/UNIX) to remove all public access granted to the selected S3 bucket:

aws s3api put-bucket-acl
	--bucket cloudtrail-global-logging
	--acl private

References

Publication date Apr 16, 2016