Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Logging Should Be Enabled

This rule ensures that S3 bucket logging is enabled for better cyber incident management and resilience.

RuleS3 bucket logging should be enabled
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Low

Rule Details

Description

This rule requires that S3 bucket logging is enabled for Federal Financial Institutions Examination Council (FFIEC) compliance. S3 bucket logging helps to track and monitor access to the bucket, providing a record of all API actions performed on objects in the bucket.

Purpose

Enabling S3 bucket logging for FFIEC compliance ensures that all interactions with sensitive data stored in the bucket are captured and logged. This allows for easier auditing, monitoring, and analysis of access to the bucket to meet regulatory requirements.

Troubleshooting Steps

If S3 bucket logging is not enabled or encounters any issues, the following troubleshooting steps can be taken:

  2. 1.
    Ensure the appropriate permissions are granted to the user or role to enable logging.
  4. 2.
    Verify that the S3 bucket exists and is correctly configured.
  6. 3.
    Check if the AWS CloudTrail service is enabled and properly configured.
  8. 4.
    Ensure that the bucket policy allows writing the logs to the designated bucket location.
  10. 5.
    Review AWS CloudTrail logs for relevant error messages or warnings.
  12. 6.
    Examine the CloudTrail and S3 bucket access logs for any potential misconfigurations or issues.

Code

To enable S3 bucket logging for FFIEC compliance, you can use the AWS Command Line Interface (CLI) with the following AWS CLI command:

aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration '{"LoggingEnabled":{"TargetBucket":"<target-bucket-name>","TargetPrefix":"logs/"}}'

Replace 

<bucket-name>
with the name of the S3 bucket you want to enable logging for and 
<target-bucket-name>
with the name of the bucket where you want to store the logs.

Remediation Steps

To remediate the S3 bucket and enable logging for FFIEC compliance, follow these steps:

  2. 1.
    Identify the S3 bucket that needs to have logging enabled.
  4. 2.
    Create a separate S3 bucket to store the logs, if one does not already exist.
  6. 3.
    Ensure that the appropriate permissions are granted to the user or role executing the following commands:
    • s3:PutBucketLogging
    • s3:GetBucketLogging
    • s3:ListAllMyBuckets
    • s3:GetBucketAcl
  8. 4.
    Open the AWS Command Line Interface (CLI) or AWS Management Console.
  10. 5.
    Execute the following AWS CLI command to enable logging:
aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration '{"LoggingEnabled":{"TargetBucket":"<target-bucket-name>","TargetPrefix":"logs/"}}'

Replace 

<bucket-name>
with the name of the S3 bucket you want to enable logging for and 
<target-bucket-name>
with the name of the bucket where you want to store the logs.

  2. 1.
    Verify that S3 bucket logging is successfully enabled by checking the bucket's logging configuration:
aws s3api get-bucket-logging --bucket <bucket-name>

Ensure that the response shows the target bucket and prefix specified in the logging configuration.

  2. 1.
    Test the logging functionality by performing actions on objects in the bucket and reviewing the logs in the target location.

By following these steps, you will have remediated the S3 bucket and enabled logging for FFIEC compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now