Description: 

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, including the request type, the resources specified in the request worked, and the time and date the request was processed.


Rationale: 

Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.


Impact:

Enabling S3 bucket logging on target S3 buckets, you can capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.


Default Value:

By default, Amazon S3 doesn't enable server access logging.


Audit:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane

  4. Select the name of the bucket that you want to examine
  5. Click on Properties.
  6. Go to the Server access logging section and check whether logging is enabled or disabled

    If you notice logging is not enabled follow the Implementation steps.


Remediation:

Pre-requisites:

  • Need a target bucket to store logs

Implementation steps:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane

  4. Select the name of the bucket that you want to enable server access logging for.
  5. Click on Properties.
  6. Go to the Server access logging section and click on edit

  7. Choose the option to Enable, give the target bucket and click on save changes


Backout plan:

  1. Sign in to the Amazon Web Services Management Console 

  2. Navigate to the Amazon S3 console at https://console.amazonaws.cn/s3/.

  3. Click on Buckets in the left navigation pane



     

  4. Select the name of the bucket that you want to Disable server access logging for.
  5. Click on Properties.
  6. Go to the Server access logging section and click on edit

  7. Choose the option to Disable and click on save changes


References: 

Logging requests using server access logging - Amazon Simple Storage Service