Open menu
-->

Enable Access Logging for AWS S3 Buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieve)

Ensure that AWS S3 Server Access Logging feature is enabled in order to record access requests useful for security audits. By default, server access logging is not enabled for S3 buckets.

This rule resolution is part of the Cloud Conformity Base Auditing Package

With Server Access Logging feature enabled for your S3 buckets you can track any requests made to access the buckets and use the log data to take measures in order to protect them against unauthorized user access.

Audit

To determine if your S3 buckets have server access logging enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the dashboard top right menu:

click the Properties tab from the dashboard top right menu

04 In the Properties panel, click the Logging tab and check the feature configuration status. If the Enabled checkbox is not selected, the Server Access Logging feature is not currently enabled for the selected S3 bucket.

05 Repeat steps no. 3 and 4 for each S3 bucket that you want to examine, available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the names of all your existing S3 buckets (across all AWS regions):

[
    "webapp-service-media",
    "webapp-service-reports"
]

03 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the bucket that you want to examine as input parameter in order to expose the access logging status for the selected S3 bucket:

aws s3api get-bucket-logging
	--bucket webapp-service-reports

If the get-bucket-logging command does not return any output, the access logging feature is not currently enabled for the selected bucket.

04 Repeat step no. 3 for each S3 bucket that you want to examine, available in your AWS account.

Remediation / Resolution

To enable Server Access Logging for an S3 bucket, you must be logged in as the bucket owner. To turn on this feature, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Select the S3 bucket that you want to examine and click the Properties tab from the dashboard top right menu:

click the Properties tab from the dashboard top right menu

04 In the Properties panel, click the Logging tab and set up server access logging for the selected bucket by doing the following:

  1. Check Enabled checkbox to enable the feature.
  2. In the Target Bucket field, enter the name for the bucket that will store the access logs. You can use the same bucket or another S3 bucket dedicated for storing the logs.
  3. In the Target Prefix field enter a unique name for the subdirectory where the server access logs will be stored (useful to manage your logs within the bucket).

05 Review the configuration details and click Save:

Review the configuration details and click Save

The S3 service will add automatically the necessary grantee user (e.g. Log Delivery) and its default permissions to allow uploading the log files to the selected bucket.

06 Repeat steps no. 3 – 5 to enable access logging for each S3 bucket currently available in your AWS account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) to list all S3 buckets available in your AWS account:

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the names of all your existing S3 buckets (across all AWS regions):

[
    "webapp-service-media",
    "webapp-service-reports"
]

03 Run put-bucket-acl command (OSX/Linux/UNIX) to set the necessary S3 bucket permissions using Access Control Lists (ACL):

aws s3api put-bucket-acl
	--bucket webapp-service-reports
	--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
	--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

04 Create a new access policy and specify the necessary permissions for who can view and modify the server access logging parameters. Create a policy document with the name server-access-logging.json and paste the following (replace the highlighted details with your own details):

{
  "LoggingEnabled": {
    "TargetBucket": "webapp-service-reports",
    "TargetPrefix": "access-logs/",
    "TargetGrants": [
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "WRITE"
      },
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "READ_ACP"
      }
    ]
  }
}

05 Run put-bucket-logging command (OSX/Linux/UNIX) to enable server access logging and set up the necessary permissions for the log delivery system using the policy document created at the previous step (if successful, the command does not return any output):

aws s3api put-bucket-logging
	--bucket webapp-service-reports
	--bucket-logging-status file://server-access-logging.json

06 Repeat steps no. 3 – 5 to enable server access logging for each S3 bucket available in your AWS account.

References

Publication date May 10, 2016