Ensure that any S3 buckets used by AWS CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.
Since CloudTrail buckets contain sensitive information, these should be protected from unauthorized viewing. With S3 Server Access Logging enabled for your CloudTrail buckets you can track any requests made to access the buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.
To determine if your CloudTrail buckets have server access logging enabled, perform the following:
To enable Server Access Logging for your CloudTrail bucket, you must be the bucket owner. To turn on this feature, perform the following: