Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure Object-Level Logging Rule

This rule ensures enabling Object-level logging for read events in S3 bucket.

RuleEnsure that Object-level logging for read events is enabled for S3 bucket
Frameworkcis_v150
Severity
Critical

Rule Description

The rule ensures that Object-level logging for read events is enabled for the specified S3 bucket, following the CIS AWS Foundations Benchmark version 1.5.0.

Rule Details

The Object-level logging for read events ensures detailed monitoring and auditing of read activities on objects within an S3 bucket. By enabling this feature, the bucket owner can track who accessed the objects, the timing of accesses, and the source of the access.

Troubleshooting Steps

  2. 1.
    Verify Compliance Rule Status: Check the compliance status of the rule in the AWS Config console or CLI.
  4. 2.
    Confirm Bucket Name: Ensure that the S3 bucket name matches the designated bucket for compliance checks (
    cis_v150
    ).
  6. 3.
    Check Bucket Logging Configuration: Confirm if the bucket has logging configuration settings enabled for Object-level logging for read events.
  8. 4.
    Review IAM Permissions: Validate that the relevant IAM user or role has necessary permissions to configure bucket logging and access logs.

Remediation Steps

To enable Object-level logging for read events for the specified S3 bucket, follow the steps below:

  2. 1.

    AWS Management Console:

    • Sign in to the AWS Management Console.
    • Open the S3 service.
    • Locate and click on the desired bucket (
      cis_v150
      ).
    • Select the "Properties" tab.
    • Under the "Server access logging" section, click on "Edit".
    • Enable the "Server access logging" option.
    • In the "Target bucket" field, enter the ARN (Amazon Resource Name) of the target bucket where the access logs will be stored.
    • In the "Target prefix" field, specify the desired prefix for the access log objects.
    • Click on "Save".
  4. 2.

    AWS CLI:

    • Open the AWS CLI or any terminal with AWS CLI configured.
    • Run the following command to enable Object-level logging for read events:
    aws s3api put-bucket-logging --bucket cis_v150 --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "arn:aws:s3:::target-bucket", "TargetPrefix": "logs/"}}'

    Replace 

    cis_v150
    with the name of the S3 bucket and 
    arn:aws:s3:::target-bucket
    with the ARN of the bucket where the access logs should be stored. Additionally, 
    "logs/"
    can be replaced with the desired prefix for the access log objects.

Verification

To verify if Object-level logging for read events is enabled for the S3 bucket (

cis_v150
):

  2. 1.

    AWS Management Console:

    • Sign in to the AWS Management Console.
    • Open the S3 service.
    • Locate and click on the desired bucket (
      cis_v150
      ).
    • Select the "Properties" tab.
    • Under the "Server access logging" section, confirm that the settings are enabled and the correct target bucket and prefix are specified.
    • Review the access logs in the target bucket to ensure logging is working as expected.
  4. 2.

    AWS CLI:

    • Open the AWS CLI or any terminal with AWS CLI configured.
    • Run the following command to retrieve the bucket logging configuration:
    aws s3api get-bucket-logging --bucket cis_v150

    Validate that the response reflects the enabled status and the correct target bucket and prefix configuration.

If the verification steps indicate successful configuration, the Object-level logging for read events is enabled for the specified S3 bucket, ensuring compliance with the CIS AWS Foundations Benchmark version 1.5.0.

Is your System Free of Underlying Vulnerabilities?
Find Out Now