S3 bucket access logging should be enabled

Description

Enabling server access logging provides detailed records for the requests that are made to a S3 bucket. This information is useful for security and compliance auditing purposes.

Remediation Steps

AWS Console

  • Navigate to S3.

  • In the Bucket name list, choose the name of the bucket that you want to enable server access logging for.

  • Choose Properties.

  • Choose Server access logging.

  • Choose Enable Logging. For Target, choose the name of the bucket that you want to receive the log record objects. The target bucket must be in the same region as the source bucket and must not have a default retention period configuration.

    • (Optional) For Target prefix, type a key name prefix for log objects, so that all of the log object names begin with the same string.

  • Choose Save.

AWS CLI

To enable server access logging for an S3 bucket, first grant S3 permission. Replace MY_BUCKET_NAME with the bucket name:

aws s3api put-bucket-acl --bucket MY_BUCKET_NAME --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Then apply the logging policy. You’ll need to provide a JSON document with the policy; see below. Replace MY_BUCKET_NAME with the bucket name:

aws s3api put-bucket-logging --bucket MY_BUCKET_NAME --bucket-logging-status file://logging.json

logging.json is a JSON document containing the logging policy. The example below allows the AWS user associated with my_email@example.com to have full control over the log files. Replace MY_BUCKET_NAME, MY_PREFIX/, and my_email@example.com with the desired bucket name, log object key prefix, and email address:

{
  "LoggingEnabled": {
    "TargetBucket": "MY_BUCKET_NAME",
    "TargetPrefix": "MY_PREFIX/",
    "TargetGrants": [
      {
        "Grantee": {
          "Type": "AmazonCustomerByEmail",
          "EmailAddress": "my_email@example.com"
        },
        "Permission": "FULL_CONTROL"
      }
    ]
  }
}

CloudFormation

JSON

{
  "Properties" : {
    "LoggingConfiguration" : {
      "DestinationBucketName" : "mybucketname",
      "LogFilePrefix" : "testing-logs"
    }
  }
}
JSON Example Configuration
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Properties" : {
    "LoggingConfiguration" : {
      "DestinationBucketName" : "mybucketname",
      "LogFilePrefix" : "testing-logs"
      }
    }
  # other required fields here
}

YAML

Properties:
  LoggingConfiguration:
    DestinationBucketName: mybucketname
    LogFilePrefix: testing-logs
YAML Example Configuration
AWSTemplateFormatVersion: '2010-09-09'
Properties:
  LoggingConfiguration:
    DestinationBucketName: mybucketname
    LogFilePrefix: testing-logs
# other required fields here

Terraform

  • Ensure that the aws_s3_bucket has a logging block that specifies a target_bucket that will receive the log objects, and optionally, a target_prefix.

Example Configuration

resource "aws_s3_bucket" "validbucket1" {
  logging {
    target_bucket = "${aws_s3_bucket.logbucket.id}"
    target_prefix = "log/"
  }
  # other required fields here
}

resource "aws_s3_bucket" "logbucket" {
  bucket        = "my-log-bucket"
  acl           = "log-delivery-write"

  logging {
    target_bucket = "my-log-bucket"
    target_prefix = "log/"
  }
  # other required fields here
}