S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files

Description

It is recommended that users enable bucket access logging on the S3 bucket storing CloudTrail log data. Such logging tracks access requests to this S3 bucket and can be useful in security and incident response workflows.

Remediation Steps

AWS Console

  • Navigate to CloudTrail.

  • Create a CloudTrail trail as specified here.

  • In storage location, note the name of the S3 bucket.

  • Navigate to S3.

  • Select the S3 bucket that you attached to your CloudTrail trail from the previous step.

  • Click Properties.

  • Edit your S3 bucket to have Server access logging enabled as described here.

AWS CLI

  • Get the name of the S3 bucket that CloudTrail is logging to:

    • aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'

  • Ensure Bucket Logging is enabled:

    • aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>

  • Ensure command does not return empty output. Sample output for a bucket with logging enabled:

    • { "LoggingEnabled": { "TargetPrefix": "<Prefix_Test>", "TargetBucket": "<Bucket_name_for_Storing_Logs>" } }

  • If the command returns an empty output, run the following command to enable logging:

    • aws s3api put-bucket-logging --bucket <s3_bucket_for_cloudtrail> --bucket-logging-status '{"LoggingEnabled":{"TargetBucket": <Bucket_name_for_Storing_Logs>,"TargetPrefix":"/"}}'

CloudFormation

JSON Example Configuration

{
  "Type": "AWS::S3::Bucket",
  "Properties": {
    "LoggingConfiguration": {
      "DestinationBucketName": {
        "Ref": "LoggingBucket"
      },
      "LogFilePrefix": "testing-logs"
    }
  }
  # other required fields here
}

YAML Example Configuration

Type: AWS::S3::Bucket
Properties:
  LoggingConfiguration:
    DestinationBucketName: !Ref LoggingBucket
    LogFilePrefix: testing-logs
# other required fields here

Terraform

Example Configuration

resource "aws_s3_bucket" "cloudtrail_bucket" {
  bucket = "cloudtrail-bucket"
  logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "log/"
  }
  # other required fields here
}