Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.LOG.05
Category: Storage
S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

gsl logic

S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should have logging.enabled='true'

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation

Perform the following to enable S3 bucket logging: Via the Management Console:

1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3
2. Under All Buckets click on the target S3 bucket
3. Click on Properties in the top right of the console
4. Under Bucket: '' click on Logging
5. Configure bucket logging
5.1. Click on Enabled checkbox
5.2. Select Target Bucket from list
5.3. Enter a Target Prefix
6. Click Save

Default Value: Logging is disabled.

Additional Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0
https://workbench.cisecurity.org/benchmarks/679

Amazon S3 server access logging:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html

Auto Remediation Using Cloudbots


cloudbot_name: s3_enable_logging

What it does: Turns on server access logging. The target bucket needs to be in the same region as the remediation bucket or it'll throw a CrossLocationLoggingProhibitted error. This bot will create a bucket to log to as well. Usage: s3_enable_logging
Limitations: none

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks

HIPAA GDPR PCIDSS32 ISO27001 NIST_CSF BP_0318 CIS140