Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail
This rule ensures that all S3 buckets log S3 data events in CloudTrail for better monitoring and compliance.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
All S3 buckets in the environment must have their S3 data events logged in AWS CloudTrail to comply with the NIST 800-171 Revision 2 security requirements. This ensures that all access and activities related to S3 buckets are recorded and can be audited for security and compliance purposes.
Troubleshooting Steps
If the S3 buckets are not logging S3 data events in CloudTrail, the following troubleshooting steps can be followed:
- 1.Verify the AWS CloudTrail service is enabled in your AWS account.
- 2.Make sure S3 bucket logging is enabled for the desired S3 buckets.
- 3.Check if the necessary IAM permissions are assigned to the IAM roles used by CloudTrail and S3 buckets.
- 4.Ensure that the S3 bucket policy allows CloudTrail to write logs to the bucket.
- 5.Review the CloudTrail and S3 bucket configuration for any misconfigurations or conflicting settings.
- 6.Check if there are any issues with the CloudTrail trail setup, such as incorrect logging configurations or missing resources.
- 7.Inspect the CloudTrail event history and S3 bucket access logs for any potential errors or issues.
- 8.Contact AWS Support for further assistance if the issue persists.
Necessary Codes
If S3 bucket logging for S3 data events in CloudTrail is not already enabled, the following AWS CLI command can be used to enable it:
aws s3api put-bucket-logging --bucket <bucket_name> --bucket-logging-status '{"LoggingEnabled":{"TargetBucket":"<log_bucket_name>","TargetPrefix":"<log_prefix>"}}'
Make sure to replace
<bucket_name><log_bucket_name><log_prefix>Step-by-Step Guide for Remediation
To ensure S3 buckets log S3 data events in AWS CloudTrail, follow these steps:
- 1.
Open the AWS Management Console and navigate to the Amazon S3 service.
- 2.
Identify the S3 buckets that need to have their S3 data events logged in CloudTrail.
- 3.
Select one of the S3 buckets and click on its name to access the bucket details.
- 4.
In the bucket details page, go to the "Properties" tab.
- 5.
Under the "Management" section, click on "Edit" next to "Logging".
- 6.
Enable logging for the bucket by checking the "Enabled" box.
- 7.
Select or create a target S3 bucket where the CloudTrail logs will be stored. You can choose an existing bucket or create a new one.
- 8.
Specify the log file prefix that will be used to organize the CloudTrail logs. Optionally, you can choose to include the account ID or region in the prefix.
- 9.
Click on "Save" to enable the logging configuration for the bucket.
- 10.
Repeat steps 3-9 for each remaining S3 bucket that needs to have S3 data events logged in CloudTrail.
- 11.
Verify that the S3 bucket logging is successfully enabled by checking the CloudTrail service in the AWS Management Console.
- 12.
To double-check the logging configuration using the AWS CLI, use the following command:
aws s3api get-bucket-logging --bucket <bucket_name>
Replace
<bucket_name>- 1.Inspect the CloudTrail logs to ensure that S3 data events are being recorded accurately.
By following these steps, all S3 buckets will be configured to log S3 data events in AWS CloudTrail, meeting the NIST 800-171 Revision 2 compliance requirements.