Rule: All S3 Buckets should log S3 data events in CloudTrail
This rule ensures that all S3 buckets are logging S3 data events in CloudTrail for security compliance.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule/Policy: All S3 Buckets CloudTrail Logging for FedRAMP Moderate Revision 4
Description:
This rule/policy ensures that all S3 buckets in an AWS account have CloudTrail logging enabled for S3 data events. It specifically aligns with the logging requirements of the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline, as outlined in Revision 4 of the FedRAMP guidelines.
Enabling CloudTrail logging for S3 data events allows for the monitoring and auditing of actions taken on S3 buckets, such as object-level API operations, bucket-level actions, and access control changes. This helps to maintain accountability, traceability, and compliance with security and governance requirements.
Troubleshooting Steps:
- 1.Check if the AWS account has the necessary permissions to enable CloudTrail logging. Ensure that the IAM user or role being used has the required privileges.
- 2.Verify if CloudTrail service is enabled in the AWS account. If not, enable it.
- 3.Ensure that the S3 buckets are not explicitly excluded from CloudTrail logging. Exclusions can be specified during CloudTrail setup, so make sure that the respective buckets are not excluded.
- 4.Confirm that the S3 buckets exist and that they are not deleted or renamed.
- 5.Check if there are any issues with the CloudTrail or S3 bucket configuration, such as incorrect S3 bucket ARN, incorrect CloudTrail trail association, or misconfigured event selectors.
Necessary Codes: None
Step-by-Step Guide for Remediation:
- 1.Log in to the AWS Management Console with appropriate credentials.
- 2.Navigate to the CloudTrail service.
- 3.Click on "Trails" in the left-hand menu.
- 4.Select the desired CloudTrail trail that is used for logging S3 data events or create a new one.
- 5.If creating a new trail, provide a name, select the appropriate S3 bucket for storage of CloudTrail logs, and configure other desired settings. Ensure that the trail covers all S3 buckets that need to be monitored.
- 6.In the "Management" section of the trail settings, enable "Data events" and ensure that "S3" is selected.
- 7.Review and modify other settings as required, such as enabling log file encryption or adding a CloudWatch log group for additional monitoring.
- 8.Save the changes and wait for the CloudTrail trail configuration to be applied.
- 9.Verify that the S3 data events are being logged by checking the CloudTrail logs and ensuring that the desired S3 actions are captured.
Note: It is recommended to follow AWS best practices and consider deploying infrastructure as code using AWS CloudFormation or AWS CLI for automating the configuration and enforcement of this policy across multiple AWS accounts or resources.
By ensuring all S3 buckets have CloudTrail logging enabled for S3 data events, you align with the security requirements of FedRAMP Moderate Revision 4 and maintain better visibility and compliance within your AWS environment.