Rule: All S3 Buckets should log S3 data events in CloudTrail
This rule ensures that all S3 buckets have logging enabled for S3 data events in CloudTrail.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
All S3 buckets should have CloudTrail enabled to log S3 data events according to the guidelines specified in the NIST 800-171 Revision 2. This rule ensures that any access or changes made to S3 data within an organization's AWS account are recorded and can be audited for compliance and security purposes.
Troubleshooting Steps
If CloudTrail is not enabled for S3 buckets, follow these troubleshooting steps:
- 1.Verify S3 Bucket Logging: Check if CloudTrail logging is enabled for the S3 bucket in question.
- 2.Verify CloudTrail Configuration: Ensure that CloudTrail is properly configured to capture S3 data events.
- 3.Check CloudTrail Logs: Review the CloudTrail logs to identify any errors or omissions related to S3 data event logging.
- 4.Verify IAM Permissions: Ensure that the IAM role associated with CloudTrail has sufficient permissions to log S3 data events.
Necessary Codes
There are no specific codes required for this rule. However, enabling CloudTrail for S3 buckets can be achieved using the AWS Command Line Interface (CLI) with the following command:
aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<CloudTrail-Bucket-Name>", "TargetPrefix": "<CloudTrail-Log-Prefix>"}}'
Replace
<bucket-name><CloudTrail-Bucket-Name><CloudTrail-Log-Prefix>Step-by-Step Guide for Remediation
Follow these steps to enable CloudTrail logging for an S3 bucket:
- 1.Identify the S3 Bucket: Determine the name of the S3 bucket for which CloudTrail logging needs to be enabled.
- 2.Create a CloudTrail Bucket: If no CloudTrail bucket exists, create a new S3 bucket to store the CloudTrail logs.
- 3.Enable S3 Data Event Logging: Use the AWS CLI or AWS Management Console to enable CloudTrail logging for the S3 bucket.
- AWS CLI Command:
Replaceaws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<CloudTrail-Bucket-Name>", "TargetPrefix": "<CloudTrail-Log-Prefix>"}}'
with the name of the S3 bucket for which CloudTrail should be enabled.<bucket-name>
should be the name of the bucket where CloudTrail logs will be stored, and<CloudTrail-Bucket-Name>
should be the desired prefix for the CloudTrail log files within the bucket.<CloudTrail-Log-Prefix> - AWS Management Console:
- Open the Amazon S3 console in your web browser.
- Select the desired S3 bucket.
- Click on the Properties tab.
- Under Other properties, click on CloudTrail logging.
- Enable CloudTrail logging and specify the CloudTrail bucket and log prefix.
- Save the changes.
- 4.Verify CloudTrail Logging: Validate that CloudTrail logging is enabled for the S3 bucket.
- Check the CloudTrail configuration to ensure it is capturing S3 data events correctly.
- Confirm that CloudTrail logs are being generated and stored in the specified bucket with the appropriate log prefix.
- 5.Audit and Monitor: Regularly review the CloudTrail logs to monitor and audit the S3 data events and ensure compliance with NIST 800-171 Revision 2 guidelines.