Rule for Enabling S3 Data Events Logging in CloudTrail
This rule ensures all S3 buckets log S3 data events in CloudTrail for better monitoring and security.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | GxP EU Annex 11 |
| Severity | ✔ Medium |
Overview of Compliance Rule: Logging S3 Data Events in CloudTrail for GxP EU Annex 11
To meet the Good Automated Manufacturing Practice (GAMP) compliance as specified in EU Annex 11, organizations must ensure that actions performed on S3 buckets, often referred to as 'data events', are logged and monitored. Amazon S3 data event logging that integrates with AWS CloudTrail is an essential part of the compliance process. This audit trail enables organizations to validate the integrity of the data management process and maintain the confidentiality, availability, and integrity of data as per GxP requirements.
Compliance Details
For S3 data events, AWS CloudTrail supports logging actions such as
GetObjectDeleteObjectPutObjectTroubleshooting Steps for Compliance Failures
- Verify CloudTrail Integration: Confirm that AWS CloudTrail is set up to capture S3 data events. If not, create a trail and configure it to record S3 data events.
- Check S3 Bucket Policy: Ensure that the S3 bucket policy allows CloudTrail to write logs. Correct the policy if there are any permission issues.
- Review the CloudTrail Log Files: If CloudTrail is configured correctly but not capturing events, review the latest log files for errors or configuration issues.
Necessary Codes for Enabling S3 Bucket Logging
AWS CLI Commands
# Create a new trail
aws cloudtrail create-trail --name MyGxPTrail --s3-bucket-name my-gxp-trail-bucket
# Start logging S3 data events
aws cloudtrail put-event-selectors --trail-name MyGxPTrail --event-selectors '[{ "ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3::"] }]}]'
IAM Policy to Allow CloudTrail to Write Logs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketACL",
"Resource": "arn:aws:s3:::my-gxp-trail-bucket"
},
{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-gxp-trail-bucket/AWSLogs/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
}
]
}
Step-by-Step Guide for Remediation
- 1.
Log into AWS Management Console: Access the AWS Management Console and navigate to the CloudTrail service.
- 2.
Create a New Trail: Click on
and create a new trail with a unique name dedicated to your GxP compliance requirement.Trails - 3.
Configure S3 Bucket Logging: During the creation of the trail, specify the S3 bucket that will be used to store the logs. Ensure this bucket has the correct policy in place to allow CloudTrail to write the logs.
- 4.
Enable S3 Data Event Logging: Within the trail settings, specify the S3 buckets for which you wish to enable data event logging. You can select all buckets or specify certain buckets that contain GxP-related data.
- 5.
Review and Start Logging: Review your settings, and if all configurations are correct, start logging.
- 6.
(Optional) Enable Log File Integrity Validation: This ensures that log files have not been tampered with.
- 7.
Check Log Delivery: Ensure that CloudTrail logs are being delivered to the specified S3 bucket.
- 8.
Monitor the Trail: Regularly monitor the trail and the S3 bucket to ensure they are actively capturing and storing S3 data events.
For compliance, ensure that all steps are followed precisely and that periodic audits are performed to maintain GxP EU Annex 11 compliance regarding data event logging. Keep in mind that the use of automation and continuous monitoring solutions can significantly ease the process of compliance and maintenance.