AWS CloudTrail Bucket Is Publicly Accessible

This policy identifies publicly accessible S3 buckets that store CloudTrail data. These buckets contains sensitive audit data and only authorized users and applications should have access.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS CloudTrail bucket is publicly accessible.
JSON Query:
$.resource[*].aws_cloudtrail exists and $.resource[*].aws_cloudtrail[*].*[*].s3_bucket_name equals $.resource[*].aws_s3_bucket_public_access_block[*].*[*].bucket and ($.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_acls isFalse or $.resource[*].aws_s3_bucket_public_access_block[*].*[*].block_public_policy isFalse)
Recommendation:
Recommended solution for disable public access to AWS S3 CloudTrail buckets.
It is recommended that S3 bucket should not have public access. To do so, please make sure your template has the "aws_s3_bucket_public_access_block"block defined and "block_public_acls" attribute in it is set to true.
For example:
{ "aws_s3_bucket_public_access_block": [ { "<s3_bucket_name>": [ { "block_public_acls": true, "block_public_policy": true, "bucket": "${aws_s3_bucket.<s3_bucket_name>.id}" } ] } ] }

Run Rule Recommendation

  1. Login to the AWS Console.
  2. Navigate to the 'S3' service.
  3. Click on the 'S3' resource reported in the alert.
  4. Click on the 'Permissions'.
  5. If Access Control List' is set to 'Public' follow below steps.
    a. Under 'Access Control List', Click on 'Everyone' and uncheck all items
    b. Click on Save
  6. If 'Bucket Policy' is set to public follow below steps.
    a. Under 'Bucket Policy', modify the policy to remove public access
    b. Click on Save
    c. If 'Bucket Policy' is not required delete the existing 'Bucket Policy'.
    Note:
    Make sure updating 'Access Control List' or 'Bucket Policy' does not affect S3 bucket data access.
Remediation CLI Command:
aws s3api put-bucket-acl --acl private --bucket ${resourceName}
CLI Command Description:
This CLI command requires 's3:PutBucketAcl' permission. Successful execution will reset this CloudTrail bucket's ACL (Access Control List) to private. This will ensure that only Owner has full privileges.

Compliance

There are 12 standards that are applicable to this policy:
  • PIPEDA
  • NIST 800-171 Rev1
  • NIST CSF
  • NIST 800-53 Rev4
  • ISO 27001:2013
  • HITRUST CSF v9.3
  • CIS v1.2.0 (AWS)
  • GDPR
  • CSA CCM v3.0.1
  • SOC 2
  • MITRE ATT&CK [Beta]
  • CCPA 2018

Recommended For You