Profile Applicability: Level 1


Description: 

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.


Rationale: 

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.


Audit: 

Perform the following ensure the CloudTrail S3 bucket has access logging is enabled: Via the management Console 

1. Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/home 

2. In the API activity history pane on the left, click Trails 

3. In the Trails pane, note the bucket names in the S3 bucket column 

4. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3. 

5. Under All Buckets click on a target S3 bucket

6. Click on Properties in the top right of the console 

7. Under Bucket: _<bucket_name>_ click on Logging 

8. Ensure Enabled is checked.


Remediation:

Perform the following to enable S3 bucket logging: Via the Management Console 

1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3. 

2. Under All Buckets click on the target S3 bucket 

3. Click on Properties in the top right of the console 

4. Under Bucket:  click on Logging 

5. Configure bucket logging 

1. Click on Enabled checkbox 

2. Select Target Bucket from list 

3. Enter a Target Prefix

6. Click Save


Default Value: 

Logging is disabled.


References: 

1. CCE-78918-0 

2. CIS CSC v6.0 #14.6


CIS Controls:

6.2 Activate audit logging 

    Ensure that local logging has been enabled on all systems and networking devices.

14.9 Enforce Detail Logging for Access or Changes to Sensitive Data 

    Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).