Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.05
Category: Storage


S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should have logging.enabled='true'


From Portal

  1. Sign in to the AWS Management Console and Navigate to Amazon S3 console.
  2. Click on the name of the associated S3 bucket that you want to update.
  3. Select the Properties tab from the console menu to access the bucket properties.
  4. In the Server access logging section, choose Edit to modify the feature configuration.
  5. On the Edit server access logging page, perform the following actions:
    a. Choose Enable under Server access logging to enable the Server Access Logging feature for the selected Amazon S3 bucket.
    b. For Target bucket, choose Browse S3 and select the name of the destination bucket and folder for the access logs. You should not use the same bucket for log storage. When your source bucket and destination (target) bucket are the same, additional logs are created for the logs that are written to the bucket. These extra logs can increase your storage billing and make it harder to find the logs that you are looking for.
    c. Choose Save changes to apply the configuration changes. Once the feature is enabled, Amazon S3 console will automatically update your bucket access control list (ACL) to include access to the S3 log delivery group.

From TF

resource "aws_s3_bucket" "cloudtrail_bucket" {
	bucket = "BUCKET_NAME"
	logging {
	target_bucket = "${TARGET_BUCKET_NAME}"
		target_prefix = "KEY_PREFIX"
	other required fields here

Note: Terraform logging configuration block supports the following arguments:
target_bucket - (Required) The name of the bucket that will receive the log objects.
target_prefix - (Optional) To specify a key prefix for log objects.

From Command Line
Use following command to enable Bucket Logging:

aws s3api put-bucket-logging --bucket BUCKET_NAME --bucket-logging-status file://logging.json

Note: Logging.json is a JSON document in the current folder that contains the logging configuration. For more information follow the reference section.


  1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-acl.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/index.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0