Profile Applicability: Level 1


Description: 

CloudTrail logs are a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. By default, Amazon S3 buckets and objects are private. Only the resource owner (the AWS account that created the bucket) can access the bucket and the objects it contains. The resource owner can grant access permissions to other resources and users by writing an access policy.

If you want to create or modify an Amazon S3 bucket to receive the log files for an organization trail, you must further modify the bucket policy.


Rationale: 

Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.


Impact:

It is recommended that the bucket policy, or access control list (ACL), be applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.


Default Value: 

By default, S3 buckets are not publicly accessible.


Pre-Requisite: 

  1. Log in as an admin or IAM user with the required permissions

  2. If you found an s3 bucket with public access then only follow the implementation

  3. Make note of all the permissions that exist, as backout


Remediation:


Test Plan:

1. Go to the Amazon CloudTrail console at 

https://console.aws.amazon.com/cloudtrail/home 

2. Click Trails in the left navigation pane.

3. In the Trails pane, note the bucket names in the S3 bucket column 

4. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home 

5. For each bucket noted in step 3, click on the bucket 

6. Click on the Permissions tab.

7. Go to the Block Public Access check it's off or on

If you notice Block Public access is Off it means the bucket is publicly accessible.


Using AWS CLI:

aws cloudtrail describe-trails

Note the bucket name from the output

aws s3api get-bucket-acl --bucket <bucketName>

Implementation Steps:

Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy: 

  1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home 

  2. Select the bucket that you found in the audit section to edit

  3. Click on the Permissions tab.

4. Click on Edit under the Block public access section

5. Check the Block all public access checkBox and click on save changes 

6. If the Edit bucket policy button is present, click it.

7. Remove any Statement having an Effect set to Allow and a Principal set to "*" or {"AWS" : "*"}.


Using AWS CLI:

aws s3api put-bucket-acl --bucket <bucketName> --acl private


Backout Plan:

  1. Go to Amazon S3 console at https://console.aws.amazon.com/s3

  2. Select the bucket that you want to modify

  3. Click on the Permissions tab. 

4. Click on Edit under the Block public access section

5. Uncheck the Block all public access check Box and click on save changes  



Using AWS CLI:

It will change the bucket to public access 

aws s3api put-public-access-block --bucket <bucket_name> --public-access-block-configuration "{\"IgnorePublicAcls\": true}"

References: 

Amazon S3 Bucket Policy for CloudTrail - AWS CloudTrail 


CIS Controls:

14.6 Protect Information through Access Control Lists 

Protect all information stored on systems with file system, network share, claims, application, or database-specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.