Ensure that the Amazon S3 Log Delivery Group does not have permission to write to the S3 source bucket (i.e. the S3 bucket where S3 Server Access Logging is enabled).
With S3 Server Access Logging feature you can track any requests made to access your Amazon S3 buckets and use the log data to audit and protect them against unauthorized user access. Amazon S3 Server Access Logging uses a special log delivery account, called S3 Log Delivery Group, to write access logs. These writes are subject to the usual access control restrictions. To follow AWS cloud security best practices, you must allow the Log Delivery Group write permission on the target bucket only (i.e. the S3 bucket where you want the access logs to be saved) by adding a grant entry in the bucket's Access Control List (ACL) so that the Log Delivery Group can't have permission to write to the source bucket (i.e. the bucket where you have access logging enabled). If the access is granted on the source bucket, a misconfiguration can provide overly permissive control to the S3 Log Delivery Group, such as the permission to write to the source bucket.
This conformity rule applies only to S3 Log Delivery systems that use a different bucket for storing access logs, meaning that the source bucket and the target bucket are not the same.
Audit
To determine if Amazon S3 Log Delivery Group has permission to write on the S3 source bucket, perform the following operations:
Remediation/Resolution
To deny Amazon S3 Log Delivery Group the permission to write on the source bucket, perform the following operations:
References
- AWS Documentation
- Amazon S3 FAQs
- Logging requests using server access logging
- Access control list (ACL) overview
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-acl
- get-bucket-logging
- put-bucket-acl
- CloudFormation Documentation
- Amazon Simple Storage Service resource type reference
- Terraform Documentation
- AWS Provider