Description: 

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, including the request type, the resources specified in the request worked, and the time and date the request was processed.


Rationale: 

Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.


Impact:

Enabling S3 bucket logging on target S3 buckets, you can capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.


Default Value:

By default, Amazon S3 doesn't enable server access logging.



Audit:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane

  4. Select the name of the bucket that you want to examine
  5. Click on Properties.
  6. Go to the Server access logging section and check whether logging is enabled or disabled

    If you notice logging is not enabled follow the Implementation steps.


Using AWS CLI:

  • Run list-buckets command to list all S3 buckets available in your AWS account:

    aws s3api list-buckets
      --query 'Buckets[*].Name'

    The command output should return an array with the names of all your existing S3 buckets (across all AWS regions) 

  • Run the get-bucket-logging command using the name of the bucket that you want to examine as an input parameter in order to expose the access logging status for the selected S3 bucket:

    aws s3api get-bucket-logging
      --bucket webapp-service-reports

    If the get-bucket-logging command does not return any output, the access logging feature is not currently enabled for the selected bucket. 


Pre-Requisite:
  1. Need a target bucket to store logs


Remediation:

Implementation steps:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane

  4. Select the name of the bucket that you want to enable server access logging for.
  5. Click on Properties.
  6. Go to the Server access logging section and click on edit

  7. Choose the option to Enable, give the target bucket and click on save changes


Using AWS CLI:

Run put-bucket-acl  command  to set the necessary S3 bucket permissions using Access Control Lists (ACL):

aws s3api put-bucket-acl
  --bucket webapp-service-reports
  --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
  --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Create a new access policy and specify the necessary permissions for who can view and modify the server access logging parameters. Create a policy document with the name server-access-logging.json and paste the following (replace the highlighted details with your own details):

{
  "LoggingEnabled": {
    "TargetBucket": "webapp-service-reports",
    "TargetPrefix": "access-logs/",
    "TargetGrants": [
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "WRITE"
      },
      {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/s3/LogDelivery"
         },
        "Permission": "READ_ACP"
      }
    ]
  }
}
  • Run put-bucket-logging command  to enable server access logging and set up the necessary permissions for the log delivery system using the policy document created at the previous step (if successful, the command does not return any output):

    ws s3api put-bucket-logging
      --bucket webapp-service-reports
      --bucket-logging-status file://server-access-logging.json


Backout plan:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane





  4. Select the name of the bucket that you want to Disable server access logging for.
  5. Click on Properties.
  6. Go to the Server access logging section and click on edit

  7. Choose the option to Disable and click on save changes


References: 

Logging requests using server access logging - Amazon Simple Storage Service