Logo of Trend Micro

CloudTrail S3 Bucket Logging Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CT-002

Ensure that any S3 buckets used by AWS CloudTrail have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Since CloudTrail buckets contain sensitive information, these should be protected from unauthorized viewing. With S3 Server Access Logging enabled for your CloudTrail buckets you can track any requests made to access the buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.

Audit

To determine if your CloudTrail buckets have server access logging enabled, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel:

Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel

08In the Properties panel, click the Logging tab and check if the Enabled checkbox is selected or not:

click the Logging tab and check if the Enabled checkbox is selected or not

If the checkbox is not selected the logging feature is not enabled for the selected CloudTrail bucket.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region: 

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run get-bucket-logging command (OSX/Linux/UNIX) to return the logging status for the selected CloudTrail bucket: 

aws s3api get-bucket-logging
	--bucket cloudtrail-global-logging

If the command is not returning any output, the bucket access logging is not currently enabled.

Remediation / Resolution

To enable Server Access Logging for your CloudTrail bucket, you must be the bucket owner. To turn on this feature, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel:

Select the S3 bucket used for CloudTrail logging, then click the Properties tab from the right panel

08 In the Properties panel, click the Logging tab and set up access logging for the selected bucket:

  1. Select Enabled checkbox to enable the feature.
  2. In the Target Bucket field enter the name for the bucket that will store the access logs. You can use the selected bucket or create a new S3 bucket for these logs.
  3. In the Target Prefix field enter a name for the subdirectory where the access logs will be stored – useful to manage your logs.

09 Review the configuration details and click Save:

Review the configuration details and click Save

AWS will add automatically the necessary grantee (Log Delivery) and its permissions for the S3 bucket.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region: 

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail service: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03 Run put-bucket-acl command (OSX/Linux/UNIX) to set the necessary S3 bucket permissions using access control lists (ACL): 

aws s3api put-bucket-acl --bucket cloudtrail-global-logging
	--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
	--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

04 Create a new policy document called access-logging.json and specify the permissions for who can view and modify the access logging parameters: 

{
  "LoggingEnabled": {
    "TargetBucket": "cloudtrail-global-logging",
    "TargetPrefix": "access-logs/",
    "TargetGrants": [
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "WRITE"
      },
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "READ_ACP"
      }
    ]
  }
}

05 Run put-bucket-logging command (OSX/Linux/UNIX) to turn on server access logging and set up the necessary permissions for the log delivery system using the policy document created earlier (access-logging.json): 

aws s3api put-bucket-logging
	--bucket cloudtrail-global-logging
	--bucket-logging-status file://access-logging.json

References

Publication date Apr 7, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

CloudTrail S3 Bucket Logging Enabled

Risk level: Medium