Open menu
-->

Enable access logging for AWS CloudTrail buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that any S3 buckets used by AWS CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.

This rule resolution is part of the Cloud Conformity Security Package

Since CloudTrail buckets contain sensitive information, these should be protected from unauthorized viewing. With S3 Server Access Logging enabled for your CloudTrail buckets you can track any requests made to access the buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.

Audit

To determine if your CloudTrail buckets have server access logging enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel:

Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel

08In the Properties panel, click the Logging tab and check if the Enabled checkbox is selected or not:

click the Logging tab and check if the Enabled checkbox is selected or not

If the checkbox is not selected the logging feature is not enabled for the selected CloudTrail bucket.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run get-bucket-logging command (OSX/Linux/UNIX) to return the logging status for the selected CloudTrail bucket:

aws s3api get-bucket-logging
	--bucket cloudtrail-global-logging

If the command is not returning any output, the bucket access logging is not currently enabled.

Remediation / Resolution

To enable Server Access Logging for your CloudTrail bucket, you must be the bucket owner. To turn on this feature, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel:

Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel

08 In the Properties panel, click the Logging tab and set up access logging for the selected bucket:

  1. Select Enabled checkbox to enable the feature.
  2. In the Target Bucket field enter the name for the bucket that will store the access logs. You can use the selected bucket or create a new S3 bucket for these logs.
  3. In the Target Prefix field enter a name for the subdirectory where the access logs will be stored – useful to manage your logs.

09 Review the configuration details and click Save:

Review the configuration details and click Save

AWS will add automatically the necessary grantee (Log Delivery) and its permissions for the S3 bucket.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail service:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run put-bucket-acl command (OSX/Linux/UNIX) to set the necessary S3 bucket permissions using access control lists (ACL):

aws s3api put-bucket-acl --bucket cloudtrail-global-logging
	--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
	--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

04 Create a new policy document called access-logging.json and specify the permissions for who can view and modify the access logging parameters:

{
  "LoggingEnabled": {
    "TargetBucket": "cloudtrail-global-logging",
    "TargetPrefix": "access-logs/",
    "TargetGrants": [
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "WRITE"
      },
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "READ_ACP"
      }
    ]
  }
}

05 Run put-bucket-logging command (OSX/Linux/UNIX) to turn on server access logging and set up the necessary permissions for the log delivery system using the policy document created earlier (access-logging.json):

aws s3api put-bucket-logging
	--bucket cloudtrail-global-logging
	--bucket-logging-status file://access-logging.json

References

Publication date Apr 7, 2016