Description:
S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.
Rationale:
Server access logging provides detailed records for the requests that are made to a bucket. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.
Impact:
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within a target bucket. It can also help to record the API calls to s3 bucket.
Default Value:
By default, server access logging is disabled.
Audit:
Perform the following to ensure the CloudTrail S3 bucket has access logging enabled: Via the Management Console
Sign to AWS Management console
Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail
Click on the Trails in the left navigation pane
In the Trails pane note the bucket names in the S3 bucket column
Go to the S3 console at https://console.aws.amazon.com/s3.
Under All Buckets click on a target S3 bucket that you noted in step4.
Select the Properties tab and go to the Server Access Logging section and check whether it’s enabled or disabled
If it is disabled follow the implementation steps
Via CLI:
To find the s3 bucket used for storing cloudtrail logs
To find whether the s3 bucket's logging is enabled or disabled
If the output is empty it means logging is disabled.
Remediation:
Pre-Requisite:
Sign in as admin or IAM user with required permissions
Make sure that you are selecting the correct s3 bucket
Implementation:
Sign in to the AWS Management Console
Navigate to the S3 console at https://console.aws.amazon.com/s3.
Click on the targeted bucket that you noted in the audit part
Select the properties tab and go to the Server Access Logging section
Click on Edit
Choose enable, browse the target bucket, and click on save changes
Backout Plan:
If you want to disable the server access logging follow the implementation steps and in step6 choose Disable and click on save changes.
Via CLI:
References:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
CIS Controls:
6.2 Activate audit logging
Ensure that local logging has been enabled on all systems and networking devices.
14.9 Enforce Detail Logging for Access or Changes to Sensitive Data
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).