S3 bucket should have server access logging enabled

Turn on logging on all of your buckets so that you can make sure that all changes are logged and trackable.

Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.12
Category: Storage

GSL LOGIC

S3Bucket should have logging.enabled=true

REMEDIATION

From Portal

  1. Login to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Navigate to the Bucket name list.
  4. To enable server access logging for a bucket, select the name of the bucket.
  5. Click Properties.
  6. Click Server access logging. For the target, select the name of the bucket that you want to receive the log record objects.
  7. Click Enable Logging.
    Note: The target bucket must be in the same Region as the source bucket and must not have a default retention period configuration.

From TF

resource "aws_s3_bucket" "example_bucket" {
	bucket = "example-bucket"
	logging {
		target_bucket = "s3_bucket_id"
		target_prefix = "log/"
	}
	other required fields here
}

From Command Line

  1. Run the following to check Bucket logging status.
aws s3api get-bucket-logging --bucket S3_BUCKET
  1. Run the following command to enable logging.
aws s3api put-bucket-logging --bucket S3_BUCKET --bucket-logging-status file://logging.json

Note: Logging.json is a JSON document in the current folder that contains the logging policy

References

  1. http://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-logging
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-acl.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard S3 Bucket Security
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS GDPR Readiness
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0