Rule: S3 Bucket Logging Should Be Enabled
This rule ensures that S3 bucket logging is enabled to enhance security and compliance measures.
| Rule | S3 bucket logging should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule Description
S3 bucket logging should be enabled to ensure compliance with NIST 800-171 Revision 2. This requirement helps track and monitor any actions performed on the S3 bucket, ensuring accountability and security of sensitive information.
Enabling logging for S3 buckets ensures that all access and administrative activities, including object-level API operations, are logged and made available for auditing purposes. The log files can be stored in a separate S3 bucket or redirected to AWS CloudWatch Logs or Amazon S3 Batch Operations.
Troubleshooting Steps
If S3 bucket logging is not enabled, follow these troubleshooting steps to enable it:
- 1.Check the bucket properties in the AWS Management Console or using the AWS CLI to determine if logging is enabled.
- 2.If logging is not enabled, go to the bucket properties and enable logging.
- 3.Ensure that the target bucket for logging has appropriate permissions to write log files.
- 4.Verify that the logging is functioning correctly by checking the log files in the designated location.
Necessary Code
Use the following AWS CLI code to enable S3 bucket logging:
aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration '{"LoggingEnabled": {"TargetBucket": "<target-bucket-name>", "TargetPrefix": "<log-prefix>"}}'
Replace
<bucket-name><target-bucket-name><log-prefix>Step-by-Step Guide for Remediation
Follow the steps below to enable S3 bucket logging:
- 1.Open the AWS Management Console and navigate to the S3 service.
- 2.Identify the bucket for which logging needs to be enabled and select it.
- 3.Click on the "Properties" tab.
- 4.Scroll down to the "Server access logging" section and click on "Edit".
- 5.Check the box for "Enable logging" and provide the target bucket name for storing the logs.
- 6.Optionally, specify a log file prefix if desired.
- 7.Click on "Save changes" to enable logging for the selected bucket.
Alternatively, you can use the AWS CLI to enable S3 bucket logging by executing the following steps:
- 1.
Open your preferred command-line interface (CLI).
- 2.
Run the following AWS CLI command to enable logging:
aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration '{"LoggingEnabled": {"TargetBucket": "<target-bucket-name>", "TargetPrefix": "<log-prefix>"}}'Replace
with the name of the S3 bucket for which logging needs to be enabled. Replace<bucket-name>
with the name of the bucket where the log files will be stored.<target-bucket-name>
should be replaced with the desired prefix for the log file names.<log-prefix> - 3.
Verify the bucket's properties to ensure logging is enabled by either using the AWS Management Console or running the following AWS CLI command:
aws s3api get-bucket-logging --bucket <bucket-name>Replace
with the name of the S3 bucket you enabled logging for.<bucket-name>
By following the above steps and enabling S3 bucket logging, you will ensure compliance with NIST 800-171 Revision 2 requirements.