Description: 

Use S3 to store and retrieve any amount of data at any time, from anywhere on the web.The policy checks if S3 buckets have Object-level logging enabled in CloudTrail. Amazon S3 object-level API operations can be logged if object-level logging is enabled. By default, CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the Amazon S3 buckets in your AWS account.


Rationale: 

AWS CloudTrail records API calls used within an AWS account, including calls made from the AWS Management Console, SDKs, command-line tools, and other AWS services. S3 object-level data operations are also logged, like get the object, delete the object, and put the object should be logged to meet compliance requirements and also makes it easy to track the origin of the API calls.


Impact:

Amazon S3 object-level API operations such as Get Object, Put Object and Delete Object are logged.


Default Value: 

By default, CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the Amazon S3 buckets in your AWS account. The default setting for CloudTrail is to find only management events. Check to ensure that you have the data events enabled for your AWS account.


Audit:

  • Sign in to the AWS Management Console

  • Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  • Click on the Buckets in the left navigation pane

  • In the Buckets list, choose the name of the bucket you want to examine

  • Go to the Properties tab

  • Under the AWS CloudTrail data events section, check whether any cloudtrail is attached or not

    If no trail is attached it means object-level logging is disabled


Remediation:

Prerequisites:

To enable CloudTrail data events for all your buckets or for a list of specific buckets, you must create a trail manually in CloudTrail.


Implementation Steps:

  1. Sign in to the AWS Management Console

  2. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  3. Click on the Buckets in the left navigation pane

  4. In the Buckets list, choose the bucket you want to enable object-level logging
  5. Go to the Properties tab
  6. Under AWS CloudTrail data events section, click on Configure in CloudTrail.
  7. It will be redirected to Cloudtrail console, and select the trail where you need to store object-level API logs


Via CLI:

aws cloudtrail put-event-selectors --trail-name TrailName2 --event-selectors '[{"ReadWriteType": "All","IncludeManagementEvents": true,"DataResources": [{"Type":"AWS::S3::Object", "Values": ["arn:aws:s3:::"]}]}]'


Backout Plan:

Follow the steps mentioned below to disable object-level logging:

  • Sign in to the Amazon Management Console.

  • Navigate to the Cloudtrail console at https://console.aws.amazon.com/cloudtrail

  • Choose the CloudTrail in which logs are being recorded.

  • Go to the Data Events section in that CloudTrail and click on Edit

  • Choose the bucket you want to disable object-level logging, click on cross “X” to remove the bucket from cloudtrail

  • Click on Save changes


Note:

Additional charges apply for data events. For more information, see AWS CloudTrail pricing.


References:

 Enabling CloudTrail event logging for S3 buckets and objects - Amazon Simple Storage Service