Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule to Ensure Object-Level Logging for Read Events in S3 Bucket

This rule focuses on enabling object-level logging for read events in an S3 bucket.

Rule Ensure that Object-level logging for read events is enabled for S3 bucket
Frameworkcis_v140
Severity
High

Rule Description:

This rule ensures that object-level logging for read events is enabled for an S3 bucket, in compliance with the CIS AWS Foundations Benchmark version 1.4.0 (cis_v140).

Troubleshooting Steps:

If object-level logging for read events is not enabled for the S3 bucket, follow these steps to troubleshoot the issue:

  2. 1.
    Check if the S3 bucket policy allows object-level logging for read events. Ensure that the following statements are included in the S3 bucket policy:
{
  "Sid": "EnableObjectLevelLogging",
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": [
    "s3:GetObject",
    "s3:GetObjectVersion",
    "s3:GetBucketObjectLockConfiguration"
  ],
  "Resource": "arn:aws:s3:::bucket_name/*",
  "Condition": {
    "StringEquals": {
      "s3:DataAccessPointAccount": "bucket_owner_account_id"
    }
  }
}

Replace 

bucket_name
with the name of your S3 bucket and 
bucket_owner_account_id
with your own account ID.

  2. 1.

    Ensure that the S3 bucket logging configuration is correctly set up to capture read events. The logging configuration should be configured to send log data to a centralized S3 bucket or another logging service.

  4. 2.

    Verify that the appropriate IAM roles or users have permission to write logs to the specified logging destination.

Remediation:

To enable object-level logging for read events in an S3 bucket, follow these steps:

  2. 1.

    Open the Amazon S3 console.

  4. 2.

    Select the desired S3 bucket.

  6. 3.

    Click on the "Properties" tab.

  8. 4.

    Under the "Logging" section, click on the "Edit" button.

  10. 5.

    Enable the option for object-level logging. Select an existing bucket for storing the logs or create a new bucket specifically for this purpose.

  12. 6.

    Save the changes and close the configuration window.

  14. 7.

    Check the S3 bucket policy to ensure that it includes the necessary statements mentioned in the troubleshooting steps.

  16. 8.

    Verify that the IAM roles or users responsible for writing logs to the logging destination have the appropriate permissions.

CLI Command:

To enable object-level logging for read events in an S3 bucket using the AWS Command Line Interface (CLI), follow these steps:

  2. 1.

    Open a terminal or command prompt.

  4. 2.

    Run the following command to enable object-level logging for read events:

aws s3api put-bucket-logging --bucket bucket_name --bucket-logging-status file://logging.json

Replace 

bucket_name
with the name of your S3 bucket and 
logging.json
with the path to a JSON file containing the desired logging configuration. Ensure that the JSON file includes the necessary settings for object-level logging.

  2. 1.
    Verify the changes by checking the S3 bucket properties or reviewing the bucket policy.

Note: Ensure that you have the necessary permissions and that the AWS CLI is configured with the appropriate credentials.

Compliance:

By enabling object-level logging for read events in the S3 bucket, you ensure compliance with the CIS AWS Foundations Benchmark version 1.4.0 (cis_v140), specifically for the requirement related to logging S3 bucket read events.

Is your System Free of Underlying Vulnerabilities?
Find Out Now