Rule: All S3 Buckets Log S3 Data Events in CloudTrail
This rule ensures that all S3 buckets are logging S3 data events in CloudTrail.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description
This rule ensures that all S3 buckets within an AWS account enable logging of S3 data events in CloudTrail, in accordance with the NIST (National Institute of Standards and Technology) 800-53 Revision 5 security guidelines.
Enabling CloudTrail logging for S3 data events provides a comprehensive audit trail of all actions performed on S3 buckets, such as object-level API operations, bucket-level operations, and permission changes. This helps capture key information for security analysis, compliance audits, and incident response.
Troubleshooting Steps
- 1.Verify CloudTrail Configuration: Check if CloudTrail is properly configured and its logging is enabled for the region where the S3 bucket exists.
- 2.Validate S3 Bucket Logging: Ensure that the targeted S3 bucket has logging enabled and is directing the logs to CloudTrail.
- 3.Review IAM Permissions: Verify that the IAM user or role executing the remediation steps has sufficient permissions to enable logging and update S3 bucket settings.
- 4.Check CloudTrail IAM Role: Ensure that the IAM role associated with CloudTrail has appropriate permissions to write logs to the target S3 bucket.
Necessary Codes
There are no specific codes needed to enforce this rule. Instead, the following are the remediation steps to enable S3 bucket logging in CloudTrail.
Remediation Steps
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Click on the specific trail associated with the AWS account where the S3 bucket resides.
- 3.
Within the trail details page, click on the "Edit" button.
- 4.
Scroll down to the "Management events" section and ensure that the "Read/Write events" checkbox is selected.
- 5.
Scroll further down to the "Data events" section and enable logging for S3 by selecting the "All S3 data events" checkbox.
- 6.
Choose the S3 bucket log file prefix, which is the path in the S3 bucket where the log files are stored. You can use a custom prefix or choose the default option.
- 7.
Click the "Save" button to save the changes.
Verification
To verify if the S3 bucket is successfully logging data events in CloudTrail, follow these steps:
- 1.
Open the AWS Management Console and navigate to the CloudTrail service.
- 2.
Select the specific trail associated with the AWS account where the S3 bucket resides.
- 3.
In the trail details page, click on the "Event history" tab.
- 4.
Use the filter option to narrow down the displayed events by selecting the specific S3 bucket and the desired time range.
- 5.
Review the listed events to ensure that the required S3 data events are being logged.
If there are no events listed or if the required events are missing, review the troubleshooting steps mentioned earlier to identify and resolve any issues.