S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files

Description

CloudTrail logs a record of every API call made in your AWS account to S3 buckets. It is recommended that the bucket policy, or access control list (ACL), applied to these S3 buckets should prevent public access. Allowing public access to CloudTrail log data may aid an adversary in identifying weaknesses in the affected account’s use or configuration.

Console Remediation Steps

  • Navigate to S3.

  • Click the target S3 bucket.

  • Select the Permissions tab.

  • Click Access Control List.

  • In Public access, ensure no rows exists that have the Grantee set to Everyone or the Grantee set to Any Authenticated User.

  • Click Save.

  • Remove any Statement having an Effect set to Allow and a Principal set to * or {""AWS"" : ""*""} and click Save.

CLI Remediation Steps

  • Get the name of the S3 bucket that CloudTrail is logging to:

    • aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'

  • Ensure the AllUsers principal is not granted privileges to that <bucket> :

    • aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/AllUsers`]'

  • Ensure the AuthenticatedUsers principal is not granted privileges to that :

    • aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/Authenticated Users`]'

  • Get the S3 Bucket Policy:

    • aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail>

  • Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to "*" or {"AWS" : "*"} Note: Principal set to "*" or {"AWS" : "*"} allows anonymous access.