Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.08
Category: Storage

GSL LOGIC

S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should not have ( acl.grants contain [uri like 'http://acs.amazonaws.com/groups/global/%'] or policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty()])

REMEDIATION

From Portal
Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:

  1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
  2. Click on the bucket used to store CloudTrail logs and select Permissions tab.
  3. Ensure block public access is enabled for that bucket.
  4. Then go to Access Control list, it shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
  5. Select the row that grants permission to Everyone or Any Authenticated User
  6. Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
  7. Click Save to save the ACL.
  8. If the Edit bucket policy button is present, click it.
  9. Remove any Statement having an Effect set to Allow and a Principal set to '' or {'AWS' : ''}.

From TF
Add a policy document with required permissions and appropriate condition as needed as follows:

data "aws_iam_policy_document" "example" {
	...
	statement {
		effect = "Allow"
		
		actions = [
		REQUIRED_ACTIONS
		]
		principals {
			REQUIRED_PRINCIPALS
		}
		
		resources = [
		"S3_BUCKET_ARN",
		]
		
		condition {
			test     = TEST
			variable = CONTEXT_VARIABLE
			
			values = [
			VALUES
			]
		}
	}
	...
}

From Command Line
To add a policy with required permissions and appropriate condition as needed, run:

aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://policy.json

References

  1. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
  2. https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
  3. https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
  4. https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CCPA Framework
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0