Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail

Rule Description

Troubleshooting Steps

2. 1.

   Check CloudTrail Setup: Verify that you have set up and configured CloudTrail correctly in your AWS account. Ensure that you have enabled logging for the required regions and enabled the necessary permissions.

4. 2.

   Review Bucket Policy: Check the bucket policies applied to the S3 buckets and ensure that the required permissions for CloudTrail are correctly defined. Ensure that the bucket policy allows CloudTrail to write logs to the specified S3 bucket.

6. 3.

   Verify S3 Bucket Properties: Confirm the properties of the S3 buckets, particularly the logging settings. Ensure that the logging is enabled for the buckets and that the desired destination bucket is specified.

8. 4.

   Check CloudTrail and S3 Bucket Region: Make sure that the CloudTrail trail and S3 bucket reside in the same AWS region. They should be located in the region mentioned in the FedRAMP Low Revision 4 requirement.

10. 5.

    Inspect IAM Policies: Review IAM policies associated with the AWS Identity and Access Management (IAM) roles used by CloudTrail and confirm that the policies allow the required permissions to write logs to S3.

12. 6.

    Check CloudTrail Encryption: Verify that CloudTrail encryption settings are configured correctly. If encryption is enabled, ensure that the encryption keys and policies are properly set up.

Necessary Codes

2. 1.
   To create a new CloudTrail trail:

aws cloudtrail create-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --include-global-service-events

<trail-name>

<bucket-name>

2. 1.
   To update an existing CloudTrail trail to include S3 data events:

aws cloudtrail update-trail --name <trail-name> --s3-bucket-name <bucket-name> --is-multi-region-trail --include-global-service-events

<trail-name>

<bucket-name>

Step-by-Step Guide for Remediation

2. 1.

   Create a CloudTrail Trail (if not already created):

   • Open the AWS Management Console and navigate to the CloudTrail service.

   • Click on "Trails" from the left-hand menu and select "Create Trail".

   • Enter a unique name for the trail in the "Trail name" field.

   • Choose the desired S3 bucket as the destination for the CloudTrail logs.

   • Enable the options for multi-region and global service event logging.

   • Configure advanced settings as needed (such as enabling encryption).

   • Click "Create" to create the trail.
4. 2.

   Update Existing CloudTrail Trail (if already created):

   • Open the AWS Management Console and navigate to the CloudTrail service.

   • Click on "Trails" from the left-hand menu and select the existing trail.

   • Click on "Edit" to modify the trail settings.

   • Ensure that the desired S3 bucket is set as the destination for CloudTrail logs.

   • Enable options for multi-region and global service event logging, if not already enabled.

   • Configure advanced settings as needed (such as enabling encryption).

   • Click "Save" to update the trail.
6. 3.

   Verify CloudTrail Logging for S3 Data Events:

   • Open the AWS Management Console and navigate to the S3 service.

   • Select the desired bucket that should have CloudTrail logging enabled.

   • Go to the "Properties" tab of the bucket.

   • Scroll down to the "CloudTrail settings" section.

   • Confirm that the CloudTrail logging is enabled and the correct trail is selected.

   • Make any necessary adjustments and save the changes if required.