Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail

This rule ensures that all S3 buckets are logging S3 data events in CloudTrail.

RuleAll S3 buckets should log S3 data events in CloudTrail
FrameworkNIST 800-171 Revision 2
Severity
Medium

Rule Description

This rule ensures that all of your S3 buckets are configured to log S3 data events in CloudTrail, thereby enforcing compliance with NIST 800-171 Revision 2.

Troubleshooting Steps

If you encounter any issues while implementing this rule, here are some troubleshooting steps you can take:

  1. 1.

    Verify AWS CloudTrail configuration: Ensure that you have properly configured CloudTrail in the AWS Management Console. Check if the correct S3 bucket is specified for storing CloudTrail logs.

  2. 2.

    Check S3 bucket permissions: Ensure that the IAM role associated with CloudTrail has the necessary permissions to access your S3 buckets. Verify that the appropriate IAM policies are attached to the IAM role.

  3. 3.

    Confirm S3 bucket server access logging: Ensure that server access logging is enabled for each S3 bucket you want to monitor. This can be verified through the AWS Management Console or by using the AWS CLI.

  4. 4.

    Review CloudTrail event history: Check the CloudTrail event history and logs for any error messages or events related to S3 data events. This can help identify specific issues or misconfigurations.

Remediation Steps

Follow these steps to remediate any non-compliant S3 buckets and ensure they are logging S3 data events in CloudTrail:

  1. 1.

    Configuration via AWS Management Console:

    • Sign in to the AWS Management Console.
    • Open the CloudTrail service.
    • Select the appropriate trail or create a new one.
    • In the trail configuration, navigate to the "Data events" section.
    • Enable data events for S3 buckets.
    • Save the configuration.
  2. 2.

    Configuration via AWS CLI:

    Use the following AWS CLI commands to enable S3 data event logging in CloudTrail:

    aws cloudtrail update-trail --name <trail_name> --enable-s3-data-events
    

    Replace

    <trail_name>
    with the name of your CloudTrail trail.

    The above command will enable S3 data event logging for all S3 buckets in the selected CloudTrail trail.

  3. 3.

    Verify Compliance:

    After enabling the configuration, validate if the S3 buckets are compliant by performing the following steps:

    • Check the CloudTrail trail configuration to ensure S3 data event logging is enabled.
    • Confirm that the S3 bucket(s) you want to monitor are associated with the trail.
    • Review the CloudTrail logs to verify that S3 data events are being captured.
  4. 4.

    Repeat Steps for Each Non-Compliant Bucket:

    If there are multiple non-compliant S3 buckets, repeat the above steps to enable S3 data event logging for each bucket individually.

Following these steps will ensure that all your S3 buckets are configured to log S3 data events in CloudTrail, meeting the requirements of NIST 800-171 Revision 2.

Is your System Free of Underlying Vulnerabilities?
Find Out Now