Rule: Ensure the S3 Bucket for CloudTrail Logs is Not Publicly Accessible
This rule ensures that the S3 bucket used to store CloudTrail logs is secure and not accessible to the public.
| Rule | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| Framework | cis_v140 |
| Severity | ✔ Critical |
Rule Description:
The rule "cis_v140" ensures that the S3 bucket used to store CloudTrail logs is not publicly accessible. Publicly accessible buckets may expose sensitive information to unauthorized entities, compromising the security and confidentiality of log data.
Remediation:
To remediate this issue, you need to update the S3 bucket's permissions and access control settings to restrict public access. Follow the steps below:
Step 1: Identify the affected S3 bucket
- 1.Log in to the AWS Management Console.
- 2.Open the S3 service.
Step 2: Review the bucket permissions
- 1.Locate the bucket previously used to store CloudTrail logs.
- 2.Click on the bucket name to access the bucket details.
Troubleshooting:
If you cannot find the bucket, ensure that you are checking the correct AWS region and have appropriate permissions to access the bucket.
Step 3: Update the bucket policy
- 1.Select the "Permissions" tab in the bucket's detail view.
- 2.Click on the "Bucket Policy" button.
Troubleshooting:
If you do not have access to modify the bucket policy, contact your AWS account administrator for the necessary permissions.
Step 4: Remove public access permissions
- 1.Inside the Bucket Policy editor, remove any policy statements that allow public access (e.g., "Principal": "*").
- 2.Save the changes to the bucket policy.
Step 5: Enable block all public access settings
- 1.Go back to the main bucket settings in the AWS S3 console.
- 2.Access the "Access control" tab.
Troubleshooting:
The "Access control" tab might not be available if you do not have the required permissions. Contact your AWS account administrator for assistance.
Step 6: Configure block public access settings
- 1.Click on the "Block public access" option.
- 2.Enable all four block public access settings:
- Block all public access
- Block public access to buckets and objects granted through new access control lists (ACLs)
- Block public access to buckets and objects granted through any access control lists (ACLs)
- Block public access to buckets and objects granted through new public bucket or access point policies
- 3.Save the changes.
Step 7: Verify the changes
- 1.Review the bucket policy to ensure that public access permissions have been removed.
- 2.Confirm that the block public access settings are enabled.
Troubleshooting:
If the bucket policy still allows public access or the block public access settings are not enabled, repeat the previous steps and ensure that all changes are saved correctly.
Verification:
To verify if the S3 bucket used for storing CloudTrail logs is no longer publicly accessible, you can perform the following steps:
- 1.Access the AWS S3 console.
- 2.Locate the previously identified bucket.
- 3.Check the bucket's permission settings to ensure no public access permissions are present.
- 4.Confirm that the block public access settings are enabled.
If the bucket is no longer publicly accessible, you have successfully remediated the issue.
Additional Notes:
Remember to regularly review your S3 bucket access controls and permissions to ensure the ongoing security of your CloudTrail logs. Monitoring and auditing your AWS environment for any changes to bucket policies or security configurations is also recommended.