Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Bucket Logging Should Be Enabled

Ensure that S3 bucket logging is enabled as per Program Management (PM) standards.

RuleS3 bucket logging should be enabled
FrameworkNIST 800-53 Revision 5
Severity
Low

Rule Description: S3 Bucket Logging for NIST 800-53 Revision 5 Compliance

Description:

In order to comply with the NIST 800-53 Revision 5 security control requirements, it is recommended to enable S3 bucket logging for all relevant buckets in your AWS environment. S3 bucket logging helps in monitoring and auditing the activities performed on the bucket, allowing for better control and visibility over data stored in S3.

Troubleshooting Steps:

  1. 1.
    Check if S3 bucket logging is already enabled for the appropriate buckets.
  2. 2.
    Ensure the IAM role associated with the bucket has the necessary permissions to write logs.
  3. 3.
    Verify if the bucket policy allows the logging permissions.

Necessary Codes:

No specific code required for enabling S3 bucket logging, as it can be done through the AWS Management Console or using AWS CLI commands.

Step-by-step Guide for Enabling S3 Bucket Logging:

  1. 1.

    Method 1: AWS Management Console

    • Open the AWS Management Console and navigate to the Amazon S3 service.
    • Select the relevant bucket for which you want to enable logging.
    • Click on the "Properties" tab.
    • Under the "Server access logging" section, click on the "Edit" button.
    • Enable server access logging by selecting the target bucket and specifying the log file prefix.
    • Click on the "Save" button to apply the log settings.
  2. 2.

    Method 2: AWS CLI

    • Install and configure the AWS CLI if not already done.

    • Open the command-line interface (CLI) and run the following command to enable S3 bucket logging:

      aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status file://logging-configuration.json
      

      In the "logging-configuration.json" file, specify the target bucket and log file prefix.

      Example content of the "logging-configuration.json" file:

      {
        "LoggingEnabled": {
          "TargetBucket": "<log-bucket-name>",
          "TargetPrefix": "<log-prefix>"
        }
      }
      
    • Verify the S3 bucket logging configuration by running the following command:

      aws s3api get-bucket-logging --bucket <bucket-name>
      

Remediation:

  1. 1.

    Identify the S3 buckets that need to have logging enabled based on the NIST 800-53 Revision 5 compliance requirements.

  2. 2.

    Choose one of the methods mentioned above to enable S3 bucket logging for each relevant bucket:

    • Method 1: AWS Management Console
    • Method 2: AWS CLI
  3. 3.

    Validate the S3 bucket's logging configuration to ensure it is successfully enabled by using the appropriate AWS CLI command.

  4. 4.

    Repeat the above steps for all the identified relevant buckets until S3 bucket logging is enabled for each one.

By following the above steps, you can ensure S3 bucket logging is enabled for NIST 800-53 Revision 5 compliance in your AWS environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now