S3 bucket access logging should be enabled

Description

Enabling server access logging provides detailed records for the requests that are made to a S3 bucket. This information is useful for security and compliance auditing purposes.

Console Remediation Steps

  • Navigate to S3.

  • In the Bucket name list, choose the name of the bucket that you want to enable server access logging for.

  • Choose Properties.

  • Choose Server access logging.

  • Choose Enable Logging. For Target, choose the name of the bucket that you want to receive the log record objects. The target bucket must be in the same region as the source bucket and must not have a default retention period configuration.

    • (Optional) For Target prefix, type a key name prefix for log objects, so that all of the log object names begin with the same string.

  • Choose Save.

CLI Remediation Steps

To enable server access logging for an S3 bucket, first grant S3 permission. Replace MY_BUCKET_NAME with the bucket name:

aws s3api put-bucket-acl --bucket MY_BUCKET_NAME --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Then apply the logging policy. You’ll need to provide a JSON document with the policy; see below. Replace MY_BUCKET_NAME with the bucket name:

aws s3api put-bucket-logging --bucket MY_BUCKET_NAME --bucket-logging-status file://logging.json

logging.json is a JSON document containing the logging policy. The example below allows the AWS user associated with my_email@example.com to have full control over the log files. Replace MY_BUCKET_NAME, MY_PREFIX/, and my_email@example.com with the desired bucket name, log object key prefix, and email address:

{
  "LoggingEnabled": {
    "TargetBucket": "MY_BUCKET_NAME",
    "TargetPrefix": "MY_PREFIX/",
    "TargetGrants": [
      {
        "Grantee": {
          "Type": "AmazonCustomerByEmail",
          "EmailAddress": "my_email@example.com"
        },
        "Permission": "FULL_CONTROL"
      }
    ]
  }
}