Rule: S3 Bucket Logging Should Be Enabled
This rule ensures that S3 bucket logging is enabled to maintain proper audit and accountability measures.
| Rule | S3 bucket logging should be enabled |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Low |
Rule Description
The rule requires enabling S3 bucket logging for AWS S3 buckets that are in compliance with the FedRAMP Moderate Revision 4 security requirements. Enabling bucket logging ensures the collection and retention of detailed logs for tracking access to the S3 buckets, which helps in meeting compliance and security objectives.
Troubleshooting Steps
There might not be any troubleshooting steps explicitly associated with this rule. However, if any issues arise during the process of enabling S3 bucket logging, the following steps can be followed:
- 1.Verify the IAM user or role permissions: Ensure that the IAM user or role responsible for enabling bucket logging has the necessary permissions to perform the required actions, such as
ands3:PutBucketLogging
.s3:GetBucketLogging - 2.Check the bucket policy: Make sure that the bucket policy allows the user or role to enable bucket logging by including the necessary permissions.
- 3.Validate S3 bucket configuration: Ensure that the S3 bucket and its associated settings, such as bucket name, region, and access controls, are configured correctly.
- 4.Review AWS CloudTrail logs: Check the AWS CloudTrail logs for any relevant events or error messages that might assist in troubleshooting the issue.
Necessary Code
No specific code is required for this rule. However, consider the following example bucket policy to enable logging for an S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketLogging",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:root"
},
"Action": "s3:PutBucketLogging",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}
]
}
Make sure to replace
AWS_ACCOUNT_IDBUCKET_NAMEStep by Step Guide - Enabling S3 Bucket Logging
Follow these steps to enable S3 bucket logging for FedRAMP Moderate Revision 4 compliance:
- 1.Open the AWS Management Console and navigate to the Amazon S3 service.
- 2.Select the S3 bucket for which you want to enable logging.
- 3.Click on the "Properties" tab in the top navigation menu.
- 4.Scroll down to the "Server access logging" section and click on the "Edit" button.
- 5.Enable server access logging by selecting the "Enable" option.
- 6.Specify the target bucket and target prefix:
- Target bucket: Choose the bucket where you want to store the logs. It can be the same bucket or a different one.
- Target prefix: Define a prefix for the log file names. This helps in organizing and segregating logs if multiple buckets are being logged to the same target bucket.
- 7.Optionally, you can choose to log detailed request metrics as well by enabling the option.
- 8.Click on the "Save changes" button to enable bucket logging.
That's it! The S3 bucket logging is now enabled for FedRAMP Moderate Revision 4 compliance. The logs will be generated and stored in the specified target bucket, providing detailed information about access and usage of the S3 bucket.