S3 bucket object-level logging for read events should be enabled


Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 Bucket and click Properties.

  • In AWS CloudTrail data events, click Configure in CloudTrail. Create a new CloudTrail if one doesn’t exist. For information about how to create trails in the CloudTrail console, see Creating a Trail with the Console.

    • If creating a trail: Check the Data events box. Under Data event: S3, check the Read checkbox.

    • If editing a trail: Under Data event: S3, select Edit and check the Read checkbox.

CLI Remediation Steps

  • To enable S3 bucket object-level logging:

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'