Ensure that any S3 buckets used by AWS CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Since CloudTrail buckets contain sensitive information, these should be protected from unauthorized viewing. With S3 Server Access Logging enabled for your CloudTrail buckets you can track any requests made to access the buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.
To determine if your CloudTrail buckets have server access logging enabled, perform the following:
To enable Server Access Logging for your CloudTrail bucket, you must be the bucket owner. To turn on this feature, perform the following: