S3 bucket object-level logging for read events should be enabled

Description

Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.

Remediation Steps

AWS Console

  • Navigate to S3.

  • Select the S3 Bucket and click Properties.

  • In AWS CloudTrail data events, click Configure in CloudTrail. Create a new CloudTrail if one doesn’t exist. For information about how to create trails in the CloudTrail console, see Creating a Trail with the Console.

    • If creating a trail: Check the Data events box. Under Data event: S3, check the Read checkbox.

    • If editing a trail: Under Data event: S3, select Edit and check the Read checkbox.

AWS CLI

  • To enable S3 bucket object-level logging:

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'

CloudFormation

JSON Example Configuration

{
  "Type": "AWS::CloudTrail::Trail",
  "Properties": {
    "EventSelectors": [
      {
        "DataResources": [
          {
            "Type": "AWS::S3::Object",
            "Values": [
              {
                "Fn::Sub": "arn:${AWS::Partition}:s3:::"
              }
            ]
          }
        ],
        "ReadWriteType": "ReadOnly",
      }
    ]
  }
  # other required fields here
}

YAML Example Configuration

Type: AWS::CloudTrail::Trail
Properties:
  EventSelectors:
    - DataResources:
        - Type: AWS::S3::Object
          Values:
            - !Sub "arn:${AWS::Partition}:s3:::"
      ReadWriteType: ReadOnly
# other required fields here