Description:

This policy ensures that logging settings for success, failure, and objects are enabled for all AWS resources. This can help to troubleshoot issues, audit activity, and comply with security regulations.

Rationale:

Logging is a critical part of any security posture. By enabling logging for all AWS resources, organizations can gain visibility into what is happening in their environment and take corrective action as needed.

Impact:

Enabling logging for all AWS resources will have no impact on the availability or performance of those resources. However, it may increase the amount of data that is stored in AWS.

Default Value:

AWS does not enable logging by default for all AWS resources.

Pre-requisites:

  • The user must have the appropriate permissions to enable logging.
  • The user must have access to the AWS Management Console or the AWS CLI.

Remediation Steps:

To disable this policy, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to disable.
  4. Click on the Disable button.

Test Plan:

To test this policy, the user can follow these steps:

  1. Enable the policy.
  2. Perform an action on an AWS resource.
  3. Verify that the log entry is generated.

Implementation Plan:

To implement this policy, the user can follow these steps:

  1. Enable the policy.
  2. Configure logging for all AWS resources.
  3. Monitor the logs to ensure that they are being generated.

AWS CLI Process:

To enable this policy using the AWS CLI, the user can run the following command:

aws iam update-policy --policy-name <policy-name> --policy-document file://<policy-document-file>

The policy-document-file file should contain the following JSON:

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "iam:EnableLogging",      "Resource": "*"    }  ] }

Using AWS GUI:

To enable this policy using the AWS GUI, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to enable.
  4. Click on the Edit button.
  5. In the Policy Document section, paste the following JSON:
{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "iam:EnableLogging",      "Resource": "*"    }  ] }
  1. Click on the Save button.

Backout Plan:

To revoke this policy, the user can follow these steps:

  1. In the AWS Management Console, navigate to the IAM & Admin page.
  2. Click on the Policies tab.
  3. Select the policy that you want to revoke.
  4. Click on the Delete button.

Note:

  • This policy is not required for all AWS environments.
  • The user should test the policy to ensure that it is working as expected.
  • The user should revoke this policy if it is no longer needed.

Reference:

  • AWS IAM Policy Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html
  • AWS CLI Command Reference: https://docs.aws.amazon.com/cli/latest/reference/iam/

Section 2:

  • Tags: logging, success, failure, objects
  • Keywords: IAM, policy, logging, compliance