Rule: All S3 Buckets Should Log S3 Data Events in CloudTrail
This rule ensures proper logging of S3 data events in CloudTrail for all S3 buckets.
| Rule | All S3 buckets should log S3 data events in CloudTrail |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule Description
The rule requires that all Amazon Simple Storage Service (S3) buckets in an AWS account have logging enabled for S3 data events in AWS CloudTrail. This requirement is consistent with the NIST Cybersecurity Framework (CSF) version 1.
Troubleshooting Steps (if applicable)
If the logging for S3 data events in CloudTrail is not enabled for any S3 buckets, you can follow these troubleshooting steps:
- 1.
Verify the AWS account and permissions:
- Ensure you have the necessary permissions to enable logging for S3 buckets. Typically, the required permissions are part of the AWS managed policy "CloudTrailReadOnlyAccess" or a custom policy with similar rights.
- Confirm that you are using the correct AWS account that you intend to monitor.
- 2.
Confirm the CloudTrail configuration:
- Validate the CloudTrail settings and confirm that it is enabled for your AWS account.
- Verify that the trail is logging the required data events. Ensure that the S3 data events are included in the trail configuration.
- 3.
Check S3 bucket permissions:
- Ensure that your AWS Identity and Access Management (IAM) user or role has sufficient permissions on the S3 buckets to enable logging.
- Grant the proper AWS Glue or CloudTrail permissions to your IAM user or role.
- 4.
Verify the bucket policies:
- Check the bucket policies to ensure that they are not explicitly disallowing logging or permissions required for CloudTrail to function properly.
Necessary Code
No code is required for troubleshooting. However, to enable logging for S3 data events in CloudTrail, you can use the AWS Command Line Interface (CLI) or AWS Management Console.
Step-by-Step Guide for Remediation
To enable logging for S3 data events in CloudTrail, follow these steps:
- 1.
Using AWS Management Console:
- Log in to the AWS Management Console.
- Navigate to the CloudTrail service.
- Select the appropriate trail that you want to modify.
- Click on "Edit" to modify the trail settings.
- Under the "Data events" section, make sure that "S3" is selected and the desired data events are checked.
- Save the changes.
- 2.
Using AWS CLI:
Install and configure the AWS CLI if you haven't already.
Open a terminal or command prompt.
Run the following command to enable logging for S3 data events in CloudTrail:
aws cloudtrail put-event-selectors --trail-name <TRAIL_NAME> --event-selectors file://<JSON_FILE_PATH>Replace
with the name of the CloudTrail trail and<TRAIL_NAME>
with the path to a JSON file containing the event selectors configuration. The JSON file should include the necessary configuration for S3 data events.<JSON_FILE_PATH>Example JSON file contents:
[ { "ReadWriteType": "All", "IncludeManagementEvents": false, "DataResources": [ { "Type": "AWS::S3::Object", "Values": [] } ] } ]Save the file with the desired configuration, and provide the path to this file in the command.
- 3.
Once the changes are saved in either the console or CLI, CloudTrail will start logging the specified S3 data events for all relevant S3 buckets in the AWS account. Ensure that the settings are properly propagated and validated in CloudTrail.
By following these steps, you will enable logging for S3 data events in CloudTrail, ensuring compliance with the NIST Cybersecurity Framework (CSF) version 1.