AWS S3 CloudTrail Buckets For Which Access Logging Is Disabled

This policy identifies S3 CloudTrail buckets for which access is disabled. S3 Bucket access logging generates access records for each request made to your S3 bucket. An access log record contains information such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Policy Details

Policy Subtype
Run, Build
Severity
Low
Template Type
Terraform, CloudFormation

Build Rules

AWS S3 CloudTrail buckets for which access logging is disabled.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null
Terraform
$.resource[*].aws_s3_bucket exists and ($.resource[*].aws_s3_bucket[*].*[*].logging anyNull)
Recommendations:
  • CloudFormation
    Recommended solution for enabling access logging on AWS S3 CloudTrail buckets.
    It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. Please make sure your template has "LoggingConfiguration" block present under s3 bucket configuration.
    For example:
    "LoggingBucket": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "LogDeliveryWrite", "LoggingConfiguration": { "DestinationBucketName": {"Ref" : "LoggingBucket"}, "LogFilePrefix": "testing-logs" } } }
  • Terraform
    Recommended solution for enabling access logging on AWS S3 CloudTrail buckets.
    It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. To do so, please make sure your template has the logging attribute under s3 bucket definition.
    For example:
    "logging": [ { "target_bucket": "${aws_s3_bucket.log_bucket.id}", "target_prefix": "loga/" } ]

Run Rule Recommendation

  1. Login to the AWS Console and navigate to the 'S3' service.
  2. Click on the the S3 bucket that was reported.
  3. Click on the 'Properties' tab.
  4. Under the 'Server access logging' section, select 'Enable logging' option.

Compliance

There are 11 standards that are applicable to this policy:
  • PIPEDA
  • CIS v1.2.0 (AWS)
  • NIST CSF
  • GDPR
  • NIST 800-171 Rev1
  • MITRE ATT&CK [Beta]
  • NIST 800-53 Rev4
  • SOC 2
  • CSA CCM v3.0.1
  • HITRUST CSF v9.3
  • CCPA 2018

Recommended For You