Description: 

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Rationale: 

Server access logging provides detailed records for the requests that are made to a bucket. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Impact:

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within a target bucket. It can also help to record the API calls to s3 bucket.

Default Value: 

By default, server access logging is disabled.

Audit: 

Perform the following to ensure the CloudTrail S3 bucket has access logging enabled: Via the Management Console 

  1. Sign to AWS Management console

  2. Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail

  3. Click on the Trails in the left navigation pane

  4. In the Trails pane note the bucket names in the S3 bucket column

  5. Go to the S3 console at https://console.aws.amazon.com/s3. 

  6. Under All Buckets click on a target S3 bucket that you noted in step4.

  7. Select the Properties tab and go to the Server Access Logging section and check whether it’s enabled or disabled

  8. If it is disabled follow the implementation steps


Via CLI:

To find the s3 bucket used for storing cloudtrail logs

aws cloudtrail describe-trails
Generic

To find whether the s3 bucket's logging is enabled or disabled

aws s3api get-bucket-logging
  --bucket bucketname
Generic

If the output is empty it means logging is disabled.



Remediation:

Pre-Requisite:

  • Sign in as admin or IAM user with required permissions

  • Make sure that you are selecting the correct s3 bucket

Implementation: 

  1. Sign in to the AWS Management Console 

  2. Navigate to the S3 console at https://console.aws.amazon.com/s3. 

  3. Click on the targeted bucket that you noted in the audit part 

  4. Select the properties tab and go to the Server Access Logging section

  5. Click on Edit

  6. Choose enable, browse the target bucket, and click on save changes

Backout Plan:

If you want to disable the server access logging follow the implementation steps and in step6 choose Disable and click on save changes.


Via CLI:

aws s3api put-bucket-logging
  --bucket <bucketname>
  --bucket-logging-status file://filename.json
Generic

References:

 https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html 


CIS Controls:

6.2 Activate audit logging 

    Ensure that local logging has been enabled on all systems and networking devices.

14.9 Enforce Detail Logging for Access or Changes to Sensitive Data 

    Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).