Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail

Rule Description

Troubleshooting Steps

2. 1.

   Verify CloudTrail availability: Ensure that CloudTrail is available in your AWS region. Some regions may not support CloudTrail, so ensure you choose a region where CloudTrail is available.

4. 2.

   Confirm CloudTrail configuration: Verify that you have correctly set up CloudTrail in your AWS account. Ensure that you have created a trail that is capturing S3 data events.

6. 3.

   Check S3 bucket name: Make sure that the S3 bucket you want to enable logging for exists and is accessible within your AWS account.

8. 4.

   Confirm IAM permissions: Ensure that the AWS Identity and Access Management (IAM) user or role you are using has the necessary permissions to enable logging for S3 data events in CloudTrail. You may need the

   cloudtrail:PutEventSelectors

   permission.

10. 5.

    Check CloudTrail trail status: Verify the status of your CloudTrail trail and ensure that it is active. If it is not active, you may need to manually activate it.

Necessary Codes

Step-by-Step Guide

2. 1.

   Sign in to the AWS Management Console: Open the AWS Management Console in your web browser and sign in to your AWS account.

4. 2.

   Navigate to CloudTrail: From the AWS Management Console dashboard, search for "CloudTrail" using the search bar at the top of the page and select "CloudTrail" from the results.

6. 3.

   Create a trail: In the CloudTrail console, click on "Trails" in the left navigation menu and then click on the "Create trail" button.

8. 4.

   Configure trail settings: Provide a unique name for the trail and choose the S3 bucket where you want CloudTrail to store the logs. Ensure that you select an S3 bucket that meets the FedRAMP Moderate Revision 4 requirements.

10. 5.

    Enable logging for S3 data events: In the "Event history" section, enable the "Read/Write events" option. This will capture data access events for S3 buckets.

12. 6.

    Specify data event settings: Scroll down to the "Data events" section and enable the "S3" data event. This will capture specific S3 data events, such as object-level API operations and bucket-level API operations.

14. 7.

    Configure advanced settings: Optionally, configure additional settings such as log file encryption, CloudWatch Logs integration, and tagging. Ensure that these settings align with your organization's requirements and compliance standards.

16. 8.

    Review and create the trail: Review all the configured settings to ensure accuracy. Once satisfied, click on the "Create" button to create the CloudTrail trail.

18. 9.

    Enable the trail: After creating the trail, select it from the list of trails in the CloudTrail console and click on the "Enable" button. This will activate the trail and begin logging S3 data events.

20. 10.

    Verify logging: Wait for a few minutes and then access an S3 bucket to perform actions such as uploading or deleting objects. Afterward, access the CloudTrail logs in the designated S3 bucket to confirm that the S3 data events are being captured.