Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

MEDIUM

Description

Description:

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Rationale:

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation

Perform the following to enable S3 bucket logging:

From Console:

Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
Under 'All Buckets' click on the target S3 bucket
Click on 'Properties' in the top right of the console
Under 'Bucket:' <s3_bucket_for_cloudtrail> click on 'Logging'
Configure bucket logging

Click on 'Enabled' checkbox
Select Target Bucket from list
Enter a Target Prefix

Click 'Save'.

Policy Details

Rule Reference ID: AC_AWS_0434

CSP: AWS

Remediation Available: Yes

Domain: Logging and Monitoring

Resource: aws_s3_bucket

Resource Category: Storage

Resource Type: S3 Bucket

Frameworks

SOC2
NIST-CSF
NIST-800-171
NIST-800-53
ISO-27001
CIS Amazon Web Services Foundations v1.3.0 Level 1
CIS Amazon Web Services Foundations v1.4.0 Level 1

Detections

Analytics