Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Object Lock for CloudTrail S3 Buckets

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the S3 buckets associated with your Amazon CloudTrail trails are configured to use the Object Lock feature in order to prevent the objects they store (i.e. trail log files) from being deleted and meet regulatory compliance. Object Lock is an Amazon S3 feature that blocks object version deletion during a user-defined retention period by enforcing retention policies as an additional layer of data protection. The feature provides two retention modes which apply different levels of protection to your S3 objects:

  • * Governance mode – this mode enables you to protect your S3 objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if it's really required.

  • * Compliance mode – in this mode, a protected object version can't be overwritten or deleted by any user, including the AWS root user. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be reduced. Compliance mode ensures that an object version can't be overwritten or deleted for the duration of the configured retention period.
Security

Using target S3 buckets with Object Lock for your Amazon CloudTrail trails will help ensure log data integrity as the log files stored within these buckets can't be accidentally or intentionally deleted. S3 Object Lock feature can also help you meet regulatory requirements within your organization when it comes to data protection.


Audit

To determine if the S3 buckets associated with your CloudTrail trails are using the Object Lock feature, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

03 In the navigation panel, under CloudTrail, choose Trails.

04 Click on the name of the Amazon CloudTrail trail that you want to examine.

05 In the General details section, choose Edit and copy the name of the associated S3 bucket available in the Trail log bucket name box.

06 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

07 Paste the name of the bucket copied at step no. 5 in the Find buckets by name box and click on the name of the returned S3 bucket to access the bucket configuration settings.

08 Select the Properties tab from the console menu to access the bucket properties.

09 In the Object Lock section, check the Object Lock attribute value. If the attribute value is set to Disabled, the Object Lock feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

10 Repeat steps no. 4 – 9 for each Amazon CloudTrail trail created within your AWS cloud account.

Using AWS CLI

01 Run list-trails command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon CloudTrail trails created for your AWS cloud account:

aws cloudtrail list-trails
  --region us-east-1
  --query 'Trails[*].Name'

02 The command output should return an array with the requested CloudTrail trail names:

[
	"cc-main-cloud-trail",
	"cc-project5-api-trail"
]

03 Run describe-trails command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to examine as the identifier parameter and custom query filters to describe the name of the S3 bucket configured to store logs for the selected trail:

aws cloudtrail describe-trails
  --region us-east-1
  --trail-name-list cc-main-cloud-trail
  --query 'trailList[*].S3BucketName'

04 The command output should return the name of the associated S3 bucket:

[
	"cc-main-cloudtrail-logs"
]

05 Run get-object-lock-configuration command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the Object Lock feature configuration status available for the selected bucket:

aws s3api get-object-lock-configuration
  --bucket cc-main-cloudtrail-logs
  --query 'ObjectLockConfiguration.ObjectLockEnabled'

06 The command output should return the requested configuration information or the ObjectLockConfigurationNotFoundError error message if there is no Object Lock configuration defined for the specified S3 bucket:

An error occurred (ObjectLockConfigurationNotFoundError) when calling the GetObjectLockConfiguration operation: Object Lock configuration does not exist for this bucket

If the get-object-lock-configuration command output returns the ObjectLockConfigurationNotFoundError error message, as shown in the output example above, the Object Lock feature is not enabled for the S3 bucket associated with the selected Amazon CloudTrail trail.

07 Repeat steps no. 3 – 6 for each Amazon CloudTrail trail created in your AWS cloud account.

Remediation / Resolution

Amazon S3 does not currently support enabling Object Lock after a bucket has been created, therefore to enable the feature you have to re-create the bucket that you want to protect. To re-create the S3 bucket associated with your Amazon CloudTrail trail and enable the Object Lock feature in order to help ensure trail data integrity, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Parameters": {
		"CloudTrailName": {
			"Type": "String"
		},
		"CloudTrailBucketName": {
			"Type": "String"
		},
		"CloudTrailBucketPrefix": {
			"Type": "String"
		}
	},
	"Resources": {
		"CloudTrailBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"AccessControl": "Private",
				"PublicAccessBlockConfiguration": {
					"BlockPublicAcls": true,
					"IgnorePublicAcls": true,
					"BlockPublicPolicy": true,
					"RestrictPublicBuckets": true
				},
				"ObjectLockEnabled": true,
				"ObjectLockConfiguration": {
					"ObjectLockEnabled": "Enabled",
					"Rule": {
						"DefaultRetention": {
							"Mode": "GOVERNANCE",
							"Days": 90
						}
					}
				}
			}
		},
		"CloudTrail": {
			"Type": "AWS::CloudTrail::Trail",
			"Properties": {
				"TrailName": {
					"Ref": "CloudTrailName"
				},
				"S3BucketName": {
					"Ref": "CloudTrailBucketName"
				},
				"S3KeyPrefix": {
					"Ref": "CloudTrailBucketPrefix"
				},
				"IsLogging": true,
				"IsMultiRegionTrail": true,
				"EventSelectors": [
					{
						"DataResources": [
							{
								"Type": "AWS::S3::Object",
								"Values": [
									"arn:aws:s3"
								]
							}
						],
						"ReadWriteType": "All",
						"IncludeManagementEvents": true
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Parameters:
	CloudTrailName:
		Type: String
	CloudTrailBucketName:
		Type: String
	CloudTrailBucketPrefix:
		Type: String
	Resources:
	CloudTrailBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: !Ref 'CloudTrailBucketName'
		AccessControl: Private
		PublicAccessBlockConfiguration:
			BlockPublicAcls: true
			IgnorePublicAcls: true
			BlockPublicPolicy: true
			RestrictPublicBuckets: true
		ObjectLockEnabled: true
		ObjectLockConfiguration:
			ObjectLockEnabled: 'Enabled'
			Rule:
			DefaultRetention:
				Mode: GOVERNANCE
				Days: 90
	CloudTrail:
		Type: AWS::CloudTrail::Trail
		Properties:
		TrailName: !Ref 'CloudTrailName'
		S3BucketName: !Ref 'CloudTrailBucketName'
		S3KeyPrefix: !Ref 'CloudTrailBucketPrefix'
		IsLogging: true
		IsMultiRegionTrail: true
		EventSelectors:
			- DataResources:
				- Type: AWS::S3::Object
				Values:
					- arn:aws:s3
			ReadWriteType: All
			IncludeManagementEvents: true

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_s3_bucket" "cloud-trail-bucket" {
	bucket              = "cc-project5-trail-bucket"
	acl                 = "private"
	object_lock_enabled = true
}

resource "aws_s3_bucket_public_access_block" "s3-block-public-access" {
	bucket                  = aws_s3_bucket.cloud-trail-bucket.id
	block_public_acls       = true
	ignore_public_acls      = true
	block_public_policy     = true
	restrict_public_buckets = true
}

resource "aws_s3_bucket_object_lock_configuration" "s3-object-lock-config" {
	bucket = aws_s3_bucket.cloud-trail-bucket.id
	rule {
		default_retention {
			mode = "GOVERNANCE"
			days = 90
		}
	}
}

resource "aws_cloudtrail" "aws-cloudtrail-trail" {
	name                  = "cc-project5-api-trail"
	s3_bucket_name        = "cc-project5-trail-bucket"
	s3_key_prefix         = "trail-logs"
	enable_logging        = true
	is_multi_region_trail = true
	event_selector {
		data_resource {
			type   = "AWS::S3::Object"
			values = ["arn:aws:s3"]
		}
		read_write_type           = "All"
		include_management_events = true
	}
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.

04 On the Create bucket setup page, perform the following operations:

  1. For General configuration:
    • Provide a unique name for your new S3 bucket in the Bucket name box.
    • From the AWS Region dropdown list, select the AWS cloud region where the new S3 bucket will be created (must match the region of the associated bucket).
    • Choose bucket under Copy settings from existing bucket, select the source (associated) S3 bucket, and Choose bucket.
  2. For Block Public Access settings for bucket, select Block all public access to ensure that all public access to this bucket and its objects is blocked. For more details about this feature, see this conformity rule.
  3. For Bucket Versioning, choose Enable to enable bucket versioning for the new bucket. Amazon S3 Object Lock requires S3 object versioning.
  4. (Optional) For Tags, use the Add tag button to create and apply user-defined tags to the S3 bucket. You can track storage cost and other criteria by tagging your bucket.
  5. For Default encryption, select Enable under Server-side encryption, and choose one of the encryption key types available, based on your requirements. For more details about Amazon S3 Server-Side Encryption (SSE), see this conformity rule.
  6. For Advanced settings, choose Enable under Object Lock to enable the Object Lock feature. To confirm, check the box marked: I acknowledge that enabling Object Lock will permanently allow objects in this bucket to be locked.
  7. Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created Amazon S3 bucket.

06 Select the Properties tab from the console menu to access the bucket properties.

07 In the Object Lock section, choose Edit to configure the feature settings available for the S3 objects that are uploaded without Object Lock configuration.

08 Within the ObjectLockconfiguration section, choose Enable under Default retention and select one of the following default retention modes. These retention modes apply different levels of protection to the objects within the selected bucket:

  • Select Governance so that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account). Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. In the Default retention period box, enter the number of days required to protect an object version. Click Save changes to apply the changes.
  • Select Compliance so that a protected object version cannot be overwritten or deleted by any user, including the root account user. Once an S3 object is locked in Compliance mode, its retention mode cannot be reconfigured and its retention period cannot be shortened. This retention mode ensures that an object version can't be overwritten or deleted for the duration of the retention period, specified in the Default retention period box. Click Save changes to apply the configuration changes.

09 Navigate to Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

10 In the navigation panel, under CloudTrail, choose Trails.

11 Click on the name of the Amazon CloudTrail trail that you want to reconfigure.

12 In the General details section choose Edit to change the configuration settings available for the selected trail.

13 On the Edit trail configuration page, choose Browse under Trail log bucket name, select the newly created S3 bucket, and click Choose. (Optional) You can also specify a prefix for the log files in the Prefix – optional box. Choose Save changes to apply the changes. Once the configuration changes are applied, Amazon CloudTrail service will begin to deliver trail data to the associated S3 bucket, which is now protected with the Object Lock feature.

14 Repeat steps no. 11 – 13 for each Amazon CloudTrail trail that you want to reconfigure, available in your AWS cloud account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the required Amazon S3 bucket and enable the S3 Object Lock feature for all the objects uploaded to this bucket, by using the --object-lock-enabled-for-bucket command parameter:

aws s3api create-bucket
  --bucket cc-main-trail-protected-logs
  --region us-east-1
  --acl private
  --object-lock-enabled-for-bucket

02 The command output should return the name of the newly created S3 bucket:

{
	"Location": "/cc-main-trail-protected-logs"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-main-trail-protected-logs
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Define the Object Lock feature configuration parameters by specifying the default retention mode and the default retention period for the new S3 bucket. The following example enables the Governance retention mode for 90 days. Governance mode ensures that users cannot overwrite or delete an S3 object version or alter its lock settings unless they have special permissions (e.g. root account access). The Governance mode enables you to protect objects against deletion by most users while still allowing you to grant some users permission to alter the retention settings or delete the object if required. Save the following configuration parameters to a JSON file named object-lock-config.json:

{
	"ObjectLockEnabled": "Enabled",
	"Rule": {
		"DefaultRetention": {
			"Mode": "GOVERNANCE",
			"Days": 90
		}
	}
}

05 Run put-object-lock-configuration command (OSX/Linux/UNIX) using the configuration parameters defined at the previous step to apply your S3 Object Lock configuration to the newly created S3 bucket (if successful, the command does not produce an output):

aws s3api put-object-lock-configuration
  --bucket cc-main-trail-protected-logs
  --object-lock-configuration file://object-lock-config.json

06 Run update-trail command (OSX/Linux/UNIX) using the name of the Amazon CloudTrail trail that you want to reconfigure as the identifier parameter, to update the storage settings available for the selected trail. Once the storage changes are applied, Amazon CloudTrail service will begin to deliver trail data to the new S3 bucket, protected with the Object Lock feature:

aws cloudtrail update-trail
  --region us-east-1
  --name cc-main-cloud-trail
  --s3-bucket-name cc-main-trail-protected-logs

07 The command output should return the metadata available for the reconfigured trail:

{
	"IncludeGlobalServiceEvents": true,
	"IsOrganizationTrail": false,
	"Name": "cc-main-cloud-trail",
	"TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/cc-main-cloud-trail",
	"LogFileValidationEnabled": true,
	"IsMultiRegionTrail": true,
	"S3BucketName": "cc-main-trail-protected-logs"
}

08 Repeat steps no. 6 and 7 for each Amazon CloudTrail trail that you want to reconfigure, available within your AWS cloud account.

References

Publication date Oct 21, 2019