|   Trend Micro Cloud One™
Open menu

Enable Object Lock for CloudTrail S3 Buckets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Knowledge Base Amazon Web Services AWS CloudTrail Enable Object Lock for CloudTrail S3 Buckets
Risk level: Medium (should be achieved)

Ensure that the Amazon S3 buckets associated with your CloudTrail trails have Object Lock feature enabled in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period, to enforce retention policies as an additional layer of data protection. The feature provides two retention modes which apply different levels of protection to your S3 objects:

Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.

Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.

Security

Using S3 buckets with Object Lock enabled for your Amazon CloudTrail trails will help ensure log data integrity as the log files stored within these buckets cannot be accidentally or intentionally deleted. S3 Object Lock feature can also help meet regulatory requirements within your organization when it comes to CloudTrail log data protection.

Audit

To determine if the S3 buckets associated with your CloudTrail trails are using Object Lock feature, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Choose the trail that you want to examine, then click on its identifier, available in the Name column, to access the resource configuration page.

05 In the Storage location section, copy the name of the S3 bucket configured for the selected trail, available as value for the S3 bucket attribute.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07 Paste the name of the S3 bucket copied at step no. 5 in the search bar, then click on the name (link) of the returned bucket, to access the resource configuration details.

08 Select the Properties tab from the S3 dashboard top menu to view the bucket properties.

09 In the Advanced settings section, check the Object Lock feature status. If the configuration status is set to Disabled, the feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

10 Repeat step no. 2 – 9 to verify the Object Lock feature status for other Amazon CloudTrail S3 buckets available in your AWS account.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list the names of all Amazon CloudTrail trails available within the selected AWS region: 

aws cloudtrail describe-trails
	--region us-east-1
	--output table
	--query 'trailList[*].Name'

02 The command output should return a table with the requested trail names: 

-------------------------
|    DescribeTrails     |
+-----------------------+
|   cc-project5-trail   |
|   cc-pipeline-trail   |
+-----------------------+

03 Execute again describe-trails command (OSX/Linux/UNIX) using the name of the trail that you want to examine as identifier parameter and custom query filters to return the name of the S3 bucket used as target bucket by the selected trail: 

aws cloudtrail describe-trails
	--region us-east-1
	--trail-name-list cc-project5-trail
	--query 'trailList[*].S3BucketName'

04 The command output should return the name of the associated S3 bucket: 

[
    "cc-project5-trail-logs"
]

05 Run get-object-lock-configuration command (OSX/Linux/UNIX) using the name of the S3 bucket returned at the previous step as identifier and custom query filters to return the Object Lock configuration status for the selected S3 bucket: 

aws s3api get-object-lock-configuration
	--bucket cc-project5-trail-logs
	--query 'ObjectLockConfiguration.ObjectLockEnabled'

06 The command output should return the requested information or the "ObjectLockConfigurationNotFoundError" error message if there is no Object Lock configuration defined for the specified bucket. i.e.: 

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

If get-object-lock-configuration command output returns the ObjectLockConfigurationNotFoundError error message, as shown in the output example above, the Object Lock feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

07 Repeat step no. 3 – 6 to determine the Object Lock configuration status for other Amazon CloudTrail S3 buckets created within your AWS account.

Remediation / Resolution

Enabling Object Lock after an S3 bucket has been created is not currently supported, therefore to enable the feature you have to re-create the necessary bucket. To re-create the S3 buckets associated with your Amazon CloudTrail trails and enable Object Lock feature in order to help ensure trail data integrity, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

03 Click + Create bucket button to start the setup process.

04 Within Create bucket dialog box, perform the following:

  1. For step 1: Name and region:
    • Provide a name for the new bucket in the Bucket name box.
    • From Region dropdown box, select the AWS region where the new S3 bucket will be created. This must correspond with the home region used by your AWS CloudTrail trail.
    • From Copy settings from an existing bucket dropdown list, select the name of the S3 bucket that you want to re-create (i.e. the one associated with the trail).
    • Click Next to continue the process.
  2. For step 2: Configure options:
    • Under Versioning, select Keep all versions of an object in the same bucket checkbox to enable S3 versioning for the bucket. S3 Object Lock feature requires S3 object versioning.
    • Click the Advanced settings tab to shown the advanced configuration settings.
    • Under Object lock, select Permanently allow objects in this bucket to be locked checkbox to enable S3 Object Lock feature for the new bucket.
    • Click Next.
  3. For step 3: Set permissions, set any required permissions or leave the settings unchanged to reflect the source bucket permissions configuration. Click Next to continue.
  4. For step 4: Review, verify the resource configuration details, then click Create bucket to create the new S3 bucket.

05 Click on the name of the S3 bucket created at the previous step.

06 Select the Properties tab from the S3 dashboard top menu to view bucket properties.

07 In the Advanced settings section, click on the Object Lock box to access the feature configuration panel, where you can define the automatic settings for the objects (log files) that will be uploaded by Amazon CloudTrail.

08 Inside Object Lock box, select one of the following retention modes. These retention modes apply different levels of protection to the objects uploaded to the selected bucket. Select one of the following options based on your requirements:

  1. Select Enable governance mode so that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. AWS root account). In the Retention period box, enter the number of days required to protect an object version. Click Save to apply the changes, then click Confirm to confirm the selected mode.
  2. Select Enable compliance mode so that a protected object version cannot be overwritten or deleted by any user, including the root account user. Once an S3 object is locked in Compliance mode, its retention mode cannot be reconfigured and its retention period cannot be shortened. This retention mode ensures that an object version can't be overwritten or deleted for the duration of the retention period, specified in the Retention period box. Click Save to apply the changes, then click Confirm to confirm the compliance mode.

09 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

10 In the navigation panel, select Trails.

11 Click on the name (link) of the CloudTrail trail that you want to reconfigure (see Audit section part I to identify the right resource) to access the trail configuration page.

12 On the selected trail configuration page, click the Edit icon available next to the Storage location section to reconfigure the target bucket associated with the trail.

13 Choose No next to Create a new S3 bucket, then select the name of the newly created S3 bucket from the S3 bucket dropdown list. (Optional) You can also specify a prefix for the log files in the Log file prefix box.

14 Click Save to apply the changes. Once these changes are applied, Amazon CloudTrail service will begin to deliver trail data to the S3 bucket protected with Object Lock.

15 If required, repeat steps no. 2 – 14 to enable the Object Lock feature for other non-compliant Amazon CloudTrail S3 buckets available in your AWS account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the Amazon S3 bucket that will be associated with your CloudTrail trail and enable S3 Object Lock feature by using the --object-lock-enabled-for-bucket command parameter: 

aws s3api create-bucket
	--bucket cc-protected-trail-logs
	--region us-east-1
	--acl private
	--object-lock-enabled-for-bucket

02 The command output should return the name of the new Amazon S3 bucket: 

{
    "Location": "/cc-protected-trail-logs"
}

03 Define the Object Lock feature configuration parameters by specifying the retention mode and retention period for the new S3 bucket. The following example enables Governance retention mode for 365 days. Governance mode ensures that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. AWS root account access). Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. Save these configuration parameters to a JSON file named "object-lock-governance-mode.json": 

{
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "GOVERNANCE",
      "Days": 365
    }
  }
}

04 Run put-object-lock-configuration command (OSX/Linux/UNIX) using the configuration parameters defined at the previous step (i.e. "object-lock-governance-mode.json") to apply your S3 Object Lock configuration to the newly created bucket (the command does not produce an output): 

aws s3api put-object-lock-configuration
	--bucket cc-protected-trail-logs
	--object-lock-configuration file://object-lock-governance-mode.json

05 Run update-subscription command (OSX/Linux/UNIX) to update the storage settings for the CloudTrail trail that you want to reconfigure (see Audit section part II to identify the right resource). Use --s3-use-bucket parameter with the name of the compliant S3 bucket, created earlier in the process: 

aws cloudtrail update-subscription
	--region us-east-1
	--name cc-project5-trail
	--s3-use-bucket cc-protected-trail-logs

06 The command output should return the new configuration metadata for the updated trail: 

Setting up new S3 bucket cc-protected-trail-logs...
Creating/updating CloudTrail configuration...
CloudTrail configuration:
{
  "trailList": [
    {
      "IncludeGlobalServiceEvents": true,
      "IsOrganizationTrail": false,
      "Name": "cc-project5-trail",
      "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-project5-trail",
      "LogFileValidationEnabled": true,
      "IsMultiRegionTrail": true,
      "HasCustomEventSelectors": true,
      "S3BucketName": "cc-protected-trail-logs",
      "HomeRegion": "us-east-1"
    }
  ],
  "ResponseMetadata": {
    "RetryAttempts": 0,
    "HTTPStatusCode": 200,
    "RequestId": "01234567-1234-1234-1234-012345678901",
    "HTTPHeaders": {
      "x-amzn-requestid": "abcdabcd-abcd-1234-abcd-abcdabcdabcd",
      "date": "Mon, 14 Oct 2019 16:10:09 GMT",
      "content-length": "787",
      "content-type": "application/x-amz-json-1.1"
    }
  }
}

07 If required, repeat steps no. 1 – 6 to enable and configure Object Lock feature for other non-compliant Amazon CloudTrail S3 buckets available within your AWS account.

References

Publication date Oct 21, 2019

Related CloudTrail rules

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base

Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Object Lock for CloudTrail S3 Buckets

Risk level: Medium