CloudTrail Bucket Publicly Accessible

Risk level: High (not acceptable risk)

Rule ID: CT-003

Check for any AWS CloudTrail logging buckets that are publicly accessible, in order to determine if your AWS account could be at risk.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

Audit

To determine if your CloudTrail logging buckets are publicly accessible, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05Under S3 section check for the S3 bucket name:

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone". The grantee called "Everyone" is the AWS S3 predefined group that grants anonymous access. If this grantee has one or more permissions enabled: , the selected S3 bucket is publicly accessible and rendered as insecure.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run get-bucket-acl command (OSX/Linux/UNIX) to list the selected S3 bucket grantee permissions:

aws s3api get-bucket-acl
	--bucket cloudtrail-global-logging

04The command output should expose the bucket grantee users and groups permissions. If the grantee group URI is “http://acs.amazonaws.com/groups/global/AllUsers” and it has one or more permissions associated (READ, WRITE, READ_ACP, WRITE_ACP), the selected bucket is publicly accessible and insecure.

{

    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ_ACP"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE_ACP"
        }
    ]
}

Remediation / Resolution

To remove public access to your CloudTrail logging bucket, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone".

09 Uncheck all the permissions granted to "Everyone" predefined group:

or delete the group using the x button from the right:

10 Click Save to save the new ACL (Access Control List) configuration. This removes all public access granted to the selected S3 bucket.

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region:

aws cloudtrail describe-trails

02The command output should expose the name of each S3 bucket used for logging data in CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run put-bucket-acl command (OSX/Linux/UNIX) to remove all public access granted to the selected S3 bucket:

aws s3api put-bucket-acl
	--bucket cloudtrail-global-logging
	--acl private

References

AWS Command Line Interface (CLI) Documentation
get-bucket-acl
describe-trails
put-bucket-acl

Publication date Apr 16, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudTrail Bucket Publicly Accessible

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudTrail rules