Rule: Ensure all S3 buckets log S3 data events in CloudTrail
Check if all S3 buckets are configured to log S3 data events in CloudTrail for compliance.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description: All S3 buckets should have S3 data events logging enabled in CloudTrail as per CISA Cyber Essentials standards.
Overview:
The rule mandates that all S3 buckets within an organization should have S3 data events logging enabled in CloudTrail. This logging provides visibility into the actions performed on S3 buckets, enabling organizations to meet CISA Cyber Essentials requirements related to monitoring and auditing.
Troubleshooting Steps:
If an S3 bucket does not have S3 data events logging enabled, follow the steps below to troubleshoot the issue:
- 1.Verify IAM Permissions: Ensure that the IAM user or role used to configure the S3 bucket has sufficient permissions to enable CloudTrail logging and access the necessary resources.
- 2.Check CloudTrail Configuration: Validate that CloudTrail is properly configured, and the logging for S3 data events is enabled at the organization level.
- 3.Evaluate S3 Bucket Configuration: Review the S3 bucket configuration to ensure that the correct bucket is being targeted for logging and that the bucket's bucket policy or access control list (ACL) allows CloudTrail to access and write logs.
Necessary Code:
To enable S3 data events logging for an S3 bucket in CloudTrail, perform the following steps:
- 1.Ensure the AWS Command Line Interface (CLI) is installed and configured with necessary credentials.
- 2.Open a terminal or command prompt.
aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --include-global-service-events
Replace
<trail-name><bucket-name>- 1.Verify the trail creation by checking the CloudTrail configuration.
aws cloudtrail describe-trails --trail-name-list <trail-name>
This command will return the details of the trail to confirm that it has been successfully created.
- 1.Configure the bucket to send data events to CloudTrail.
aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status file://logging.json
Ensure you have a JSON file (e.g., logging.json) with the appropriate logging configuration. Replace
<bucket-name>Remediation Steps:
If an S3 bucket fails to comply with the rule, follow the steps below to remediate:
- 1.Enable S3 data events logging in CloudTrail for the non-compliant bucket using the necessary code mentioned above.
- 2.Verify that S3 data events logging is properly enabled by reviewing the CloudTrail configuration.
- 3.Monitor the bucket to ensure that the required S3 data events are being logged in CloudTrail.
By following these steps, you can ensure that all S3 buckets within your organization adhere to the CISA Cyber Essentials requirement of enabling S3 data events logging in CloudTrail.