Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: All S3 Buckets should log S3 data events in CloudTrail

Ensure compliance by enabling logging of S3 data events in CloudTrail for all S3 buckets.

RuleAll S3 buckets should log S3 data events in CloudTrail
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description:

All S3 buckets within the environment must have CloudTrail logging enabled for S3 data events, in compliance with NIST 800-53 Revision 5 requirements. This rule ensures that access to S3 data is properly logged and audited.

Troubleshooting Steps:

  2. 1.
    Verify CloudTrail is enabled for the AWS account.
  4. 2.
    Ensure the IAM user/role has sufficient permissions to enable logging for S3 buckets.
  6. 3.
    Check if the S3 bucket has an existing CloudTrail configuration.
  8. 4.
    Confirm that the S3 bucket is not excluded from CloudTrail logging.
  10. 5.
    Review CloudTrail logging configuration settings for any conflicts or errors.

Necessary Code:

No specific code is required for this rule. However, the following AWS CLI command can be used to enable logging for an S3 bucket:

aws s3api put-bucket-logging --bucket <bucket_name> --logging-configuration '{"DestinationBucketName":"<destination_bucket_name>", "LogFilePrefix":"<prefix>"}'

Replace 

<bucket_name>
with the name of the S3 bucket that needs logging and 
<destination_bucket_name>
with the bucket where CloudTrail logs will be stored. 
<prefix>
is an optional parameter used to specify a prefix for the log file names.

Step-by-Step Guide for Remediation:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Navigate to the CloudTrail service.
  6. 3.
    Ensure CloudTrail is enabled for the AWS account. If not, follow the AWS documentation to enable CloudTrail.
  8. 4.
    Identify the S3 bucket(s) that need to have logging enabled.
  10. 5.
    Open the AWS CLI or an AWS SDK with appropriate IAM permissions.
  12. 6.
    Execute the following AWS CLI command to enable logging for an S3 bucket:
aws s3api put-bucket-logging --bucket <bucket_name> --logging-configuration '{"DestinationBucketName":"<destination_bucket_name>", "LogFilePrefix":"<prefix>"}'

Replace 

<bucket_name>
with the name of the S3 bucket to enable logging for, 
<destination_bucket_name>
with the name of the bucket where CloudTrail logs will be stored, and 
<prefix>
with an optional prefix for the log file names.

  2. 1.
    Verify that the logging configuration is applied by checking the CloudTrail configuration for the S3 bucket in the AWS Management Console.
  4. 2.
    Repeat the above steps for all other S3 buckets that require logging.
  6. 3.
    Monitor the CloudTrail logs to ensure that S3 data events are properly logged.

Note: It is recommended to automate the configuration of CloudTrail logging for S3 buckets using AWS CloudFormation, AWS CLI scripting, or infrastructure-as-code frameworks like AWS Cloud Development Kit (CDK).

Is your System Free of Underlying Vulnerabilities?
Find Out Now