S3 bucket object-level logging for read events should be enabled¶
Description¶
Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.
Remediation Steps¶
AWS Console¶
Navigate to S3.
Select the S3 Bucket and click Properties.
In AWS CloudTrail data events, click Configure in CloudTrail. Create a new CloudTrail if one doesn’t exist. For information about how to create trails in the CloudTrail console, see Creating a Trail with the Console.
If creating a trail: Check the Data events box. Under Data event: S3, check the Read checkbox.
If editing a trail: Under Data event: S3, select Edit and check the Read checkbox.
AWS CLI¶
To enable S3 bucket object-level logging:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
CloudFormation¶
Ensure that there is at least one AWS::CloudTrail::Trail with an EventSelector block containing:
A DataResource block with
Type
set toAWS::S3::Object
andValues
set to the ARN for the AWS::S3::Bucket.ReadWriteType set to
All
orReadOnly
.
JSON Example Configuration¶
{
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EventSelectors": [
{
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
{
"Fn::Sub": "arn:${AWS::Partition}:s3:::"
}
]
}
],
"ReadWriteType": "ReadOnly",
}
]
}
# other required fields here
}
YAML Example Configuration¶
Type: AWS::CloudTrail::Trail
Properties:
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- !Sub "arn:${AWS::Partition}:s3:::"
ReadWriteType: ReadOnly
# other required fields here