Ensure that object-level logging is enabled for S3 buckets

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.LOG.19
Category: Storage
Object-level logging allows you to incorporate S3 object access to your central auditing and logging in CloudTrail. You do have the ability to control what buckets, prefixes, and objects will be audited, and what types of actions to audit, and it will incur additional CloudTrail charges.

gsl logic

S3Bucket should have objectLevelLogging=true

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language


1. Sign on to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
2. In the Bucket name list, choose the name of the bucket.
3. Choose Properties
4. Choose Object-level logging.
5. Choose an existing CloudTrail trail in the drop-down menu.
6. Under Events, choose one of the following:
- Read to specify that you want CloudTrail to log Amazon S3 read APIs such as GetObject.
- Write to log Amazon S3 write APIs such as PutObject.
- Read and Write to log both read and write object APIs.
7. Choose Create to enable object-level logging for the bucket.

Reference: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks