Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail
This rule ensures logging of S3 data events in CloudTrail for all S3 buckets.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
The rule ensures that all S3 buckets within the AWS account are configured to log S3 data events in AWS CloudTrail. This rule is specific to the FedRAMP Low security standard, Revision 4.
Troubleshooting Steps
If any S3 buckets are not logging S3 data events in CloudTrail, follow these troubleshooting steps:
- 1.
Verify CloudTrail is enabled: Ensure that CloudTrail is enabled in the AWS account. To confirm this, navigate to the AWS Management Console and search for "CloudTrail". If it is not enabled, follow the AWS documentation to enable CloudTrail.
- 2.
Check CloudTrail bucket permissions: Make sure that the S3 bucket used for CloudTrail logging has the necessary permissions. Ensure that the IAM role associated with CloudTrail has appropriate write permissions to the S3 bucket. Refer to the AWS documentation for details on setting up CloudTrail bucket permissions.
- 3.
Verify CloudTrail trails: Check if the appropriate CloudTrail trail(s) are configured for the S3 buckets. Validate the trail configuration to ensure that it includes S3 data events. Verify that the trails are active and logging events correctly.
Necessary Code (if any)
No specific code is required for ensuring S3 buckets log S3 data events in CloudTrail. However, you may need to utilize AWS Command Line Interface (CLI) commands for troubleshooting or verifying the configuration.
Step-by-step Guide for remediation
Follow the steps below to remediate S3 buckets not logging S3 data events in CloudTrail:
- 1.
Verify CloudTrail is enabled:
- Open the AWS Management Console.
- Search for "CloudTrail" and select the "CloudTrail" service.
- If CloudTrail is not enabled, click "Create trail" or "Get Started Now" to enable it.
- 2.
Check CloudTrail bucket permissions:
- Open the AWS Management Console.
- Search for "S3" and select the "S3" service.
- Locate the S3 bucket specified for CloudTrail logs.
- Ensure that the IAM role associated with CloudTrail has write permissions to the S3 bucket.
- Go to the bucket's "Permissions" tab.
- Click on "Bucket Policy" or "Access Control List" (ACL), and verify the permissions.
- Make necessary changes to grant write access if required.
- 3.
Verify CloudTrail trails:
- Open the AWS Management Console.
- Search for "CloudTrail" and select the "CloudTrail" service.
- Click on "Trails" in the left navigation menu.
- Validate the trails associated with the S3 buckets.
- Verify that the trails include S3 data events and are logging correctly.
- If there are any issues, select the trail and modify the settings accordingly.
Note: It's recommended to periodically perform audits and checks to ensure ongoing compliance with the rule.