Description:

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.

Rationale:

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.

Impact:

Reads any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Default value:

CloudTrail trails don't log data events by default.

Pre-Requisite:

S3 bucket and cloud trail

Remediation:

Test Plan:

  • AWS Console Process

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ 

  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. 

  3. Click Properties tab to see in detail bucket configuration.  

  4. If the current status for Object-level logging is set to Disabled, then object-level logging of read events for the selected s3 bucket is not set. 
  5. If the current status for Object-level logging is set to Enabled, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set.


Using AWS CLI

aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name

aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]

Implementation Plan:

  • AWS Console Process

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/ 

  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine. 

  3. Click Properties tab to see in detail bucket configuration.  

  4. Click on the Object-level logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/ 
  5. Once the Cloudtrail is selected, check the Read event checkbox, so that object-level logging for Read events is enabled.


Using AWS CLI

To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier: 

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::/"] }] }]'

Backout Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. Open the Trails page of the CloudTrail console.

  3. Choose the trail name.

  4. At the top of the trail details page, choose Delete. 


Using AWS CLI

aws cloudtrail delete-trail --name <Trail name>

Reference:

Amazon S3 CloudTrail events - Amazon Simple Storage Service