Ensure that any S3 buckets used by AWS CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.
This rule can help you with the following compliance standards:
- The Center of Internet Security AWS Foundations Benchmark
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Since CloudTrail buckets contain sensitive information, these should be protected from unauthorized viewing. With S3 Server Access Logging enabled for your CloudTrail buckets you can track any requests made to access the buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.
Audit
To determine if your CloudTrail buckets have server access logging enabled, perform the following:
Remediation / Resolution
To enable Server Access Logging for your CloudTrail bucket, you must be the bucket owner. To turn on this feature, perform the following:
References
- AWS Documentation
- CloudTrail Concepts
- Managing Access Permissions to Your Amazon S3 Resources
- Server Access Logging
- Managing Bucket Logging
- Enabling Logging Using the Console
- AWS Command Line Interface (CLI) Documentation
- describe-trails
- put-bucket-acl
- get-bucket-logging
- put-bucket-logging
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
CloudTrail S3 Bucket Logging Enabled
Risk level: Medium