S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files

Description

It is recommended that users enable bucket access logging on the S3 bucket storing CloudTrail log data. Such logging tracks access requests to this S3 bucket and can be useful in security and incident response workflows.

Console Remediation Steps

  • Navigate to CloudTrail.

  • Create a CloudTrail trail as specified here.

  • In storage location, note the name of the S3 bucket.

  • Navigate to S3.

  • Select the S3 bucket that you attached to your CloudTrail trail from the previous step.

  • Click Properties.

  • Edit you S3 bucket to have Server access logging enabled as described here.

CLI Remediation Steps

  • Get the name of the S3 bucket that CloudTrail is logging to:

    • aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'

  • Ensure Bucket Logging is enabled:

    • aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>

  • Ensure command does not return empty output. Sample output for a bucket with logging enabled:

    • { "LoggingEnabled": { "TargetPrefix": "<Prefix_Test>", "TargetBucket": "<Bucket_name_for_Storing_Logs>" } }

  • If the command returns an empty output, run the following command to enable logging:

    • aws s3api put-bucket-logging --bucket <s3_bucket_for_cloudtrail> --bucket-logging-status '{"LoggingEnabled":{"TargetBucket": <Bucket_name_for_Storing_Logs>,"TargetPrefix":"/"}}'