Profile Applicability: Level 1


Description: 

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Rationale: 

Server access logging provides detailed records for the requests that are made to a bucket. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Impact:

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within a target bucket. It can also help to record the API calls to the s3 bucket.

Default Value: 

By default, server access logging is disabled.


Pre-Requisite:

  • Sign in as admin or IAM user with required permissions

  • Make sure that you are selecting the correct s3 bucket


Remediation:


Test Plan:  

  1. Sign to AWS Management console

  2. Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail

  3. Click on the Trails in the left navigation pane

  4. In the Trails pane note the bucket names in the S3 bucket column

  5. Go to the S3 console at https://console.aws.amazon.com/s3. 

  6. Under All Buckets click on a target S3 bucket that you noted in step4.

  7. Select the Properties tab and go to the Server Access Logging section and check whether it’s enabled or disabled

If it is disabled follow the implementation steps


Using AWS CLI:

To find the s3 bucket used for storing cloud trail logs

aws cloudtrail describe-trails

To find whether the s3 bucket's logging is enabled or disabled

aws s3api get-bucket-logging --bucket bucketname

If the output is empty it means logging is disabled.



Implementation Steps: 

  1. Sign in to the AWS Management Console 

  2. Navigate to the S3 console at https://console.aws.amazon.com/s3. 

  3. Click on the targeted bucket that you noted in the audit part 

  4. Select the properties tab and go to the Server Access Logging section

  5. Click on Edit

  6. Choose to enable, browse the target bucket, and click on save changes




Backout Plan:

If you want to disable the server access logging follow the implementation steps and in step6 choose Disable and click on save changes.


Using AWS CLI:

aws s3api put-bucket-logging
  --bucket <bucketname>
  --bucket-logging-status file://filename.json

References:

 https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html 


CIS Controls:

6.2 Activate audit logging 

    Ensure that local logging has been enabled on all systems and networking devices.

14.9 Enforce Detail Logging for Access or Changes to Sensitive Data 

    Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).