S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files

Description

CloudTrail logs a record of every API call made in your AWS account to S3 buckets. It is recommended that the bucket policy, or access control list (ACL), applied to these S3 buckets should prevent public access. Allowing public access to CloudTrail log data may aid an adversary in identifying weaknesses in the affected account’s use or configuration.

Remediation Steps

AWS Console

  • Navigate to S3.

  • Click the target S3 bucket.

  • Select the Permissions tab.

  • Click Access Control List.

  • In Public access, ensure no rows exist that have the Grantee set to Everyone or the Grantee set to Any Authenticated User.

  • Click Save.

  • Select the Bucket Policy tab.

  • Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to "*" or {"AWS" : "*"}

    • Note: Principal set to "*" or {"AWS" : "*"} allows anonymous access.

AWS CLI

  • Get the name of the S3 bucket that CloudTrail is logging to:

    • aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'

  • Ensure the AllUsers principal is not granted privileges to that <bucket> :

    • aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/AllUsers`]'

  • Ensure the AuthenticatedUsers principal is not granted privileges to that <bucket>:

    • aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/Authenticated Users`]'

  • Get the S3 Bucket Policy:

    • aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>

  • Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to "*" or {"AWS" : "*"}

    • Note: Principal set to "*" or {"AWS" : "*"} allows anonymous access.

Terraform

  • Find the S3 bucket used for CloudTrail logging by cross-referencing the aws_cloudtrail s3_bucket_name field with the logging aws_s3_bucket bucket field.

  • Ensure that the [aws_s3_bucket] acl field is not set to either of the following:

    • “public-read”

    • “public-read-write”

Example Configuration

resource "aws_s3_bucket" "private1" {
  acl = "private"
  # other required fields here
}