Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail
This rule ensures that all S3 buckets are logging S3 data events in CloudTrail for enhanced security.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
All S3 buckets should have logging enabled for S3 data events in CloudTrail to meet the requirements of NIST 800-53 Revision 5.
This rule aims to ensure that all data-related activities performed on S3 buckets are centrally logged and auditable in order to enhance security and compliance controls.
Troubleshooting Steps:
- 1.Ensure that the IAM user or role used to enable CloudTrail and S3 logging has sufficient permissions. It should have permissions to create and update CloudTrail configurations and access S3 buckets.
- 2.Verify that the S3 bucket to be configured for logging is accessible and properly configured. Make sure the bucket exists and the appropriate permissions are set.
- 3.Check if there are any conflicting IAM policies or bucket policies that may prevent CloudTrail from logging S3 data events.
- 4.Ensure that the CloudTrail service is enabled in your AWS account.
Necessary Code:
No code is required for this rule. Instead, you need to use AWS Management Console and AWS CLI to enable CloudTrail and S3 logging.
Step-by-step Remediation:
Using AWS Management Console:
Please follow these steps to enable CloudTrail and S3 logging for NIST 800-53 Revision 5 compliance:
- 1.Sign in to the AWS Management Console.
- 2.Go to the CloudTrail console.
- 3.Create a new trail or select an existing trail.
- 4.On the Trail details page, select the S3 bucket where the CloudTrail logs should be stored. This bucket should be different from the S3 buckets you want to monitor.
- 5.Enable logging of Data Events in the CloudTrail configuration for the chosen trail.
- 6.Choose the specific S3 bucket(s) to log data events for.
- 7.Review other settings such as storage options, log file validation, and encryption, based on your requirements.
- 8.Confirm and create the trail.
Using AWS CLI:
Alternatively, you can use the AWS CLI to enable CloudTrail and S3 logging for NIST 800-53 Revision 5 compliance:
- 1.
Open the AWS CLI or terminal.
- 2.
Run the following command to create a trail with S3 logging:
$ aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket --include-global-service-events --is-multi-region-trail --enable-log-file-validation --enable-cloud-watch-logs-exports 'CloudWatchLogsLogGroupArn=my-log-group-arn'Adjust the values for
,--name
, and--s3-bucket-name
as per your requirements.--enable-cloud-watch-logs-exports - 3.
To enable logging of specific S3 buckets, run the following command:
$ aws cloudtrail put-event-selectors --trail-name my-trail --event-selectors '[{"ReadWriteType": "All", "IncludeManagementEvents": true, "DataResources": [{"Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::my-bucket"]}]}]'Replace
with the appropriate trail name andmy-trail
with the desired S3 bucket.my-bucket - 4.
Review other settings such as storage options, log file validation, and encryption using separate CLI commands as per your requirements.
Note: Ensure that you have the necessary permissions and AWS CLI is properly configured with the correct AWS credentials.
By following these steps, you will enable CloudTrail and S3 logging for all relevant S3 buckets, meeting the requirements of NIST 800-53 Revision 5.