Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail
This rule ensures that all S3 buckets log S3 data events in CloudTrail.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule Description:
According to the FedRAMP Moderate Revision 4 compliance requirements, all S3 buckets within the AWS account should have S3 data events logged in CloudTrail. This rule ensures that any actions related to S3 data in the account are recorded for auditing and compliance purposes.
Troubleshooting Steps:
If S3 buckets are not being logged in CloudTrail, you can follow these troubleshooting steps:
- 1.
Check CloudTrail Configuration: Verify that CloudTrail is properly configured in your AWS account. Ensure that you have created and enabled a CloudTrail trail to capture logs.
- 2.
Bucket Level Settings: Review the bucket-level settings for each S3 bucket. Ensure that the logging feature is enabled for all buckets, which allows logs to be recorded in CloudTrail.
- 3.
Permissions and Access: Confirm that the AWS Identity and Access Management (IAM) user or role associated with the bucket has sufficient permissions to enable logging and write the logs to CloudTrail.
- 4.
Check CloudTrail Logs: Examine the CloudTrail logs to identify any errors or issues related to bucket logging. Look for any specific error messages that might indicate the cause of the problem.
- 5.
Review Bucket Events: Since the requirement specifically mentions S3 data events, ensure that the necessary events are being captured. Verify that read, write, and other relevant S3 data events are included in the CloudTrail logs.
Necessary Code:
No specific code snippets are required for this rule. However, you can utilize the AWS Command Line Interface (CLI) to configure and validate the settings.
Remediation Steps:
Follow these steps to remediate the rule for logging S3 data events in CloudTrail for all S3 buckets:
- 1.
Enable CloudTrail: If you haven't already, enable CloudTrail by creating and configuring a trail using the AWS Management Console, AWS CLI, or AWS SDKs. Make sure to include S3 as a data event source while configuring the trail.
- 2.
Enable Logging for Existing S3 Buckets: For each S3 bucket that does not have logging enabled, perform the following steps:
- Open the AWS Management Console and navigate to the S3 service.
- Select the bucket that needs logging enabled.
- Choose the "Properties" tab and click on "Server access logging."
- Enable the logging and specify the target S3 bucket where CloudTrail logs will be stored.
- Save the changes to enable logging for the selected bucket.
- 3.
Validate the Logging: After enabling logging for all S3 buckets, verify that the logs are being successfully written to CloudTrail.
- 4.
Review Log Data: Continuously monitor the CloudTrail logs to ensure that all relevant S3 data events are being recorded. Regularly review the logs for any suspicious activities or deviations from normal operations.
Following these remediation steps will ensure that the S3 buckets within your AWS account are logging S3 data events in CloudTrail, fulfilling the requirements of FedRAMP Moderate Revision 4.