S3 bucket should have server access logging enabled
Turn on logging on all of your buckets so that you can make sure that all changes are logged and trackable.
Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.12
Category: Storage
GSL LOGIC
S3Bucket should have logging.enabled=true
REMEDIATION
From Portal
- Login to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon S3 console.
- Navigate to the Bucket name list.
- To enable server access logging for a bucket, select the name of the bucket.
- Click Properties.
- Click Server access logging. For the target, select the name of the bucket that you want to receive the log record objects.
- Click Enable Logging.
Note: The target bucket must be in the same Region as the source bucket and must not have a default retention period configuration.
From TF
resource "aws_s3_bucket" "example_bucket" {
bucket = "example-bucket"
logging {
target_bucket = "s3_bucket_id"
target_prefix = "log/"
}
other required fields here
}
From Command Line
- Run the following to check Bucket logging status.
aws s3api get-bucket-logging --bucket S3_BUCKET
- Run the following command to enable logging.
aws s3api put-bucket-logging --bucket S3_BUCKET --bucket-logging-status file://logging.json
Note: Logging.json is a JSON document in the current folder that contains the logging policy
References
- http://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-logging
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-acl.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
Updated over 1 year ago