Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudTrail S3 Bucket Logging Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CT-002

Ensure that the S3 buckets associated with your CloudTrail trails (i.e. target buckets) are configured to use the S3 Server Access Logging feature in order to track requests for target bucket access, useful for AWS cloud security audits.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Because the CloudTrail buckets store sensitive information, the buckets should be protected from unauthorized access. With server access logging enabled, you can track any requests made to access the target buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.


Audit

To determine if server access logging is enabled for your CloudTrail buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, choose Edit and copy the name of the associated S3 bucket available in the Trail log bucket name box.

06 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

07 Paste the name of the bucket copied at step no. 5 in the Find buckets by name box and click on the name of the returned S3 bucket to access the bucket configuration settings.

08 Select the Properties tab from the console menu to access the bucket properties.

09 In the Server access logging section, check the Server access logging configuration attribute value. If the attribute value is set to Disabled, access logging is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

10 Repeat steps no. 4 – 9 for each Amazon CloudTrail trail created for your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
	"cc-main-cloud-trail",
	"cc-project5-api-trail",
	"cc-data-events-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the name of the S3 bucket configured to store logs for the selected trail:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].S3BucketName'

04 The command output should return the name of the associated bucket:

[
	"cc-main-cloudtrail-logs"
]

05 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket returned at the previous step as the identifier parameter to describe the configuration of the Server Access Logging feature available for the selected S3 bucket:

aws s3api get-bucket-logging
  --bucket cc-main-cloudtrail-logs
  --query 'LoggingEnabled'

06 The command output should return the requested configuration information:

null

If the get-bucket-logging command output returns null, as shown in the example above, access logging is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

07 Repeat steps no. 3 – 6 for each Amazon CloudTrail trail created for your AWS cloud account.

Remediation / Resolution

To enable access logging for the S3 buckets associated with your Amazon CloudTrail trails, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"CloudTrailName": {
			"Type": "String"
		},
		"CloudTrailBucketName": {
			"Type": "String"
		},
		"CloudTrailBucketPrefix": {
			"Type": "String"
		},
		"LoggingBucketName": {
			"Type": "String"
		},
		"LoggingBucketPrefix": {
			"Type": "String"
		}
	},
	"Resources": {
		"LoggingBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": {
					"Ref": "LoggingBucketName"
				},
				"AccessControl": "LogDeliveryWrite"
			}
		},
		"CloudTrailBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"AccessControl": "Private",
				"PublicAccessBlockConfiguration": {
					"BlockPublicAcls": true,
					"IgnorePublicAcls": true,
					"BlockPublicPolicy": true,
					"RestrictPublicBuckets": true
				},
				"VersioningConfiguration": {
					"Status": "Enabled"
				},
				"LoggingConfiguration": {
					"DestinationBucketName": {
						"Ref": "LoggingBucket"
					},
					"LogFilePrefix": {
						"Ref": "LoggingBucketPrefix"
					}
				}
			}
		},
		"CloudTrail": {
			"Type": "AWS::CloudTrail::Trail",
			"Properties": {
				"TrailName": {
					"Ref": "CloudTrailName"
				},
				"S3BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"S3KeyPrefix": {
					"Ref": "CloudTrailBucketPrefix"
				},
				"IsMultiRegionTrail": true,
				"EventSelectors": [
					{
						"DataResources": [
							{
								"Type": "AWS::S3::Object",
								"Values": [
									"arn:aws:s3"
								]
							}
						],
						"ReadWriteType": "All",
						"IncludeManagementEvents": true
					}
				],
				"IsLogging": true
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	CloudTrailName:
		Type: String
	CloudTrailBucketName:
		Type: String
	CloudTrailBucketPrefix:
		Type: String
	LoggingBucketName:
		Type: String
	LoggingBucketPrefix:
		Type: String
	Resources:
	LoggingBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: !Ref 'LoggingBucketName'
		AccessControl: LogDeliveryWrite
	CloudTrailBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: !Ref 'CloudTrailBucketName'
		AccessControl: Private
		PublicAccessBlockConfiguration:
			BlockPublicAcls: true
			IgnorePublicAcls: true
			BlockPublicPolicy: true
			RestrictPublicBuckets: true
		VersioningConfiguration:
			Status: Enabled
		LoggingConfiguration:
			DestinationBucketName: !Ref 'LoggingBucket'
			LogFilePrefix: !Ref 'LoggingBucketPrefix'
	CloudTrail:
		Type: AWS::CloudTrail::Trail
		Properties:
		TrailName: !Ref 'CloudTrailName'
		S3BucketName: !Ref 'CloudTrailBucketName'
		S3KeyPrefix: !Ref 'CloudTrailBucketPrefix'
		IsMultiRegionTrail: true
		EventSelectors:
			- DataResources:
				- Type: AWS::S3::Object
				Values:
					- arn:aws:s3
			ReadWriteType: All
			IncludeManagementEvents: true
		IsLogging: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_s3_bucket" "logging-bucket" {
	bucket = "cc-project5-logging-bucket"
	acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "cloud-trail-bucket" {
	bucket = "cc-project5-trail-bucket"
	acl    = "private"
	logging {
		target_bucket = aws_s3_bucket.logging-bucket.id
		target_prefix = "s3-server-logs/"
	}
}

resource "aws_s3_bucket_public_access_block" "s3-block-public-access" {
	bucket                  = aws_s3_bucket.cloud-trail-bucket.id
	block_public_acls       = true
	ignore_public_acls      = true
	block_public_policy     = true
	restrict_public_buckets = true
}

resource "aws_cloudtrail" "aws-cloudtrail-trail" {
	name                  = "cc-project5-api-trail"
	s3_bucket_name        = "cc-project5-trail-bucket"
	s3_key_prefix         = "trail-logs"
	is_multi_region_trail = true
	event_selector {
		data_resource {
			type   = "AWS::S3::Object"
			values = ["arn:aws:s3"]
		}
		read_write_type           = "All"
		include_management_events = true
	}
	enable_logging = true
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the associated S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, choose Edit to modify the feature configuration.

06 On the Edit server access logging page, perform the following actions:

  1. Choose Enable under Server access logging to enable the Server Access Logging feature for the selected Amazon S3 bucket.
  2. For Target bucket, choose Browse S3 and select the name of the destination bucket and folder for the access logs. You should not use the same bucket for log storage. When your source bucket and destination (target) bucket are the same, additional logs are created for the logs that are written to the bucket. These extra logs can increase your storage billing and make it harder to find the logs that you're looking for.
  3. Choose Save changes to apply the configuration changes. Once the feature is enabled, Amazon S3 console will automatically update your bucket access control list (ACL) to include access to the S3 log delivery group.

07 Repeat steps no. 3 – 6 to enable access logging for other associated S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run put-bucket-acl command (OSX/Linux/UNIX) to give the S3 log delivery group WRITE and READ_ACP permissions to the destination (associated) bucket (the command should not return an output):

aws s3api put-bucket-acl
  --bucket cc-main-cloudtrail-logs
  --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
  --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

02 Define the required access policy and specify the necessary permissions for who can view and modify the Server Access Logging feature parameters. Paste the following policy document to a JSON file named server-access-logging-config.json and replace the configuration details (bucket name, prefix, and grantee) with your own details. You should not use the same bucket for log storage. When your source bucket and destination bucket ("TargetBucket") are the same, additional logs are created for the logs that are written to the bucket. These extra logs can increase your storage billing and make it harder to find the logs that you're looking for. In the following policy example, the AWS user <admin@cloudconformity.com> will have full control over the log files, and no one else has access:

{
	"LoggingEnabled": {
		"TargetBucket": "cloudtrail-access-logging-bucket",
		"TargetPrefix": "trail-logs/",
		"TargetGrants": [
			{
				"Grantee": {
					"Type": "AmazonCustomerByEmail",
					"EmailAddress": "admin@cloudconformity.com"
				},
				"Permission": "FULL_CONTROL"
			}
		]
	}
}

03 Run put-bucket-logging command (OSX/Linux/UNIX) using the name of the associated S3 bucket that you want to reconfigure as the identifier parameter and the logging policy defined at the previous step, to enable access logging for the specified S3 bucket (if successful, the command should not return an output):

aws s3api put-bucket-logging
  --bucket cc-main-cloudtrail-logs
  --bucket-logging-status file://server-access-logging-config.json

04 Repeat steps no. 1 – 3 to enable access logging for other associated S3 buckets available within your AWS cloud account.

References

Publication date Apr 7, 2016