S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files¶
Description¶
It is recommended that users enable bucket access logging on the S3 bucket storing CloudTrail log data. Such logging tracks access requests to this S3 bucket and can be useful in security and incident response workflows.
Remediation Steps¶
AWS Console¶
Navigate to CloudTrail.
Create a CloudTrail trail as specified here.
In storage location, note the name of the S3 bucket.
Navigate to S3.
Select the S3 bucket that you attached to your CloudTrail trail from the previous step.
Click Properties.
Edit your S3 bucket to have Server access logging enabled as described here.
AWS CLI¶
Get the name of the S3 bucket that CloudTrail is logging to:
aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'
Ensure Bucket Logging is enabled:
aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>
Ensure command does not return empty output. Sample output for a bucket with logging enabled:
{ "LoggingEnabled": { "TargetPrefix": "<Prefix_Test>", "TargetBucket": "<Bucket_name_for_Storing_Logs>" } }
If the command returns an empty output, run the following command to enable logging:
aws s3api put-bucket-logging --bucket <s3_bucket_for_cloudtrail> --bucket-logging-status '{"LoggingEnabled":{"TargetBucket": <Bucket_name_for_Storing_Logs>,"TargetPrefix":"/"}}'
CloudFormation¶
Find the S3 bucket used for CloudTrail logging by cross-referencing the AWS::CloudTrail::Trail S3BucketName field with the logging AWS::S3::Bucket BucketName field.
Ensure that the AWS::S3::Bucket has a
LoggingConfiguration
block that specifies a DestinationBucketName that will receive the log objects, and optionally, a LogFilePrefix.
JSON Example Configuration¶
{
"Type": "AWS::S3::Bucket",
"Properties": {
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "LoggingBucket"
},
"LogFilePrefix": "testing-logs"
}
}
# other required fields here
}
YAML Example Configuration¶
Type: AWS::S3::Bucket
Properties:
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: testing-logs
# other required fields here
Terraform¶
Find the S3 bucket used for CloudTrail logging by cross-referencing the aws_cloudtrail s3_bucket_name field with the logging aws_s3_bucket bucket field.
Ensure that the aws_s3_bucket has a
logging
block that specifies a target_bucket that will receive the log objects, and optionally, a target_prefix.
Example Configuration¶
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "cloudtrail-bucket"
logging {
target_bucket = "${aws_s3_bucket.log_bucket.id}"
target_prefix = "log/"
}
# other required fields here
}