Ensure that the S3 buckets associated with your CloudTrail trails (i.e. target buckets) are configured to use the S3 Server Access Logging feature in order to track requests for target bucket access, useful for AWS cloud security audits.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Because the CloudTrail buckets store sensitive information, the buckets should be protected from unauthorized access. With server access logging enabled, you can track any requests made to access the target buckets or even limit who can alter or delete the access logs to prevent a user from covering their tracks.
Audit
To determine if server access logging is enabled for your CloudTrail buckets, perform the following operations:
Remediation / Resolution
To enable access logging for the S3 buckets associated with your Amazon CloudTrail trails, perform the following operations:
References
- AWS Documentation
- CloudTrail Concepts
- Identity and access management in Amazon S3
- Logging requests using server access logging
- Enabling Amazon S3 server access logging
- AWS Command Line Interface (CLI) Documentation
- cloudtrail
- list-trails
- describe-trails
- s3api
- get-bucket-logging
- put-bucket-acl
- put-bucket-logging
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudTrail S3 Bucket Logging Enabled
Risk Level: High