Ensure Object-Level Logging for Write Events Rule
This rule ensures that object-level logging for write events is enabled for S3 bucket.
| Rule | Ensure that Object-level logging for write events is enabled for S3 bucket |
| Framework | cis_v130 |
| Severity | ✔ Critical |
Ensure Object-level Logging for Write Events is Enabled for S3 Bucket (CIS v1.3.0)
Object-level logging in AWS S3 buckets records access requests for S3 objects. CIS (Center for Internet Security) benchmarks recommend enabling it, especially for write events, to help in security and access auditing. This can enhance the ability of administrators to trace who is making changes to the S3 objects.
Description of the Rule
The rule requires that for every S3 bucket in your AWS account, object-level logging is enabled for write events via AWS CloudTrail. This means that for any PUT, POST, COPY, or multi-part upload operations, a log record is created.
Object-level logging can capture important details like:
- The user who made the request
- The time of the request
- The source IP address from which the request was made
- Details on the requested object
Troubleshooting Steps
If object-level logging is not enabled:
- 1.Confirm that AWS CloudTrail is active in your region.
- 2.Confirm that the required S3 bucket exists and logging is not already enabled.
Enabling Object-Level Logging with AWS CLI
If logging is not enabled, you can use AWS Command Line Interface (CLI) to remedy this:
Step-by-Step Guide for Remediation
- 1.
Verify AWS CloudTrail Status:
To ensure CloudTrail is set up and running, use the command:
aws cloudtrail describe-trailsThis will list all trails. Confirm that there is at least one trail that applies to all regions.
- 2.
Enable Logging for an S3 Bucket:
Use the put-bucket-logging command to enable access logging:
aws s3api put-bucket-logging --bucket BUCKET_NAME --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "LOG_BUCKET_NAME", "TargetPrefix": "LOG_PREFIX"}}'Replace
with the name of your S3 bucket,BUCKET_NAME
with the bucket where you want logs to be stored, andLOG_BUCKET_NAME
with a prefix for log file names.LOG_PREFIX - 3.
Create and Configure an S3 Event Selector for Write Events:
First, get your trail name from the describe-trails output, then use it to add an event selector with the put-event-selectors command:
aws cloudtrail put-event-selectors --trail-name TRAIL_NAME --event-selectors '[{"ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::'BUCKET_NAME'/"]}] }]'Replace
with your CloudTrail trail's name andTRAIL_NAME
with the name of your S3 bucket.BUCKET_NAME - 4.
Verify the Event Selector Configuration:
Ensure the event selector is properly configured by using:
aws cloudtrail get-event-selectors --trail-name TRAIL_NAMEConfirm that the output shows the event selector for the specified bucket and that 'ReadWriteType' is set to 'WriteOnly'.
- 5.
Review the Logging Status:
You can check the status of the object-level logging for your bucket with the get-bucket-logging command:
aws s3api get-bucket-logging --bucket BUCKET_NAMEVerify that the logging is enabled and correctly configured.
By following these steps, you ensure compliance with the CIS v1.3.0 benchmark regarding S3 bucket object-level logging for write events. Properly configured logging is essential for maintaining the security and integrity of your AWS resources. If followed correctly, these guidelines should not only enhance your security posture but also contribute positively to your site's SEO by making your procedures clear, accessible, and user-friendly, thus driving more traffic to your website as a trusted resource.