Ensure that Server Access Logging feature is enabled for your Amazon S3 buckets in order to track access requests useful for security and access audits. By default, Server Access Logging is not enabled for S3 buckets.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
The Server Access Logging feature provides detailed records for the requests that are made to your Amazon S3 buckets. The log data includes the request type, the resources that are specified in the request, and the time and date that the request was processed. Once enabled, the feature can provide useful data for security and compliance audits, and can help you learn about your user base and understand your Amazon S3 bill.
Audit
To determine if Server Access Logging is enabled for your S3 buckets, perform the following operations:
Remediation / Resolution
To enable the Server Access Logging feature for your existing Amazon S3 buckets, perform the following operations:
References
- AWS Documentation
- Amazon S3 FAQs
- Blocking public access to your Amazon S3 storage
- Blocking public access to your Amazon S3 storage
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-logging
- put-bucket-acl
- put-bucket-logging
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider