Description: 

CloudTrail supports logging Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. These events are called data events. By default, CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the Amazon S3 buckets in your AWS account.


Rationale: 

To configure a trail to log data events for an S3 bucket, you can use either the AWS CloudTrail console or the Amazon S3 console. If you are configuring a trail to log data events for all the Amazon S3 buckets in your AWS account, it's easier to use the CloudTrail console. For information about using the CloudTrail console to configure a trail to log S3 data events.


Remediation: 

To enable CloudTrail data events logging for objects in an S3 bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, choose the name of the bucket.
  3. Choose Properties.
  4. Choose Object-level logging.
  5. Choose an existing CloudTrail trail in the drop-down menu.
    • The trail you select must be in the same AWS Region as your bucket, so the drop-down list contains only trails that are in the same Region as the bucket or trails that were created for all Regions.
  6. Under Events, choose one of the following:
    • Read to specify that you want CloudTrail to log Amazon S3 read APIs such as GetObject.
    • Write to log Amazon S3 write APIs such as PutObject.
    • Read and Write to log both read and write object APIs.


Default: CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the Amazon S3 buckets in your AWS account.


References:

    https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html