Ensure that Amazon S3 Server Access Logging feature is not configured to use the same S3 bucket for both the source bucket – the S3 bucket where you have access logging enabled, and the target bucket – the bucket where you want the access logs to be saved. For easy and efficient log management, Trend Cloud One™ – Conformity strongly recommends saving access logs in a different S3 bucket.
optimisation
efficiency
When your source bucket and target bucket are the same S3 bucket, additional logs are created for the logs that are written to the bucket by the Server Access Logging feature. This behavior is not ideal for most use cases because it can lead to an increase in your Amazon S3 storage costs. In addition, saving the extra logs generated for the S3 access logs in the same location, might make it harder to find the log files that you're looking for.
Audit
To determine if Amazon S3 Server Access Logging feature is configured to use the same S3 bucket for the source and target bucket, perform the following actions:
Remediation/Resolution
To configure a different bucket as target bucket for the Amazon S3 Server Access Logging feature storage, perform the following actions:
References
- AWS Documentation
- Amazon S3 FAQs
- Logging requests using server access logging
- Access control list (ACL) overview
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-logging
- create-bucket
- put-public-access-block
- put-bucket-acl
- put-bucket-logging
- CloudFormation Documentation
- Amazon Simple Storage Service resource type reference
- Terraform Documentation
- AWS Provider