Profile Applicability:

Level 1

Description:

AWS CloudTrail enables real-time monitoring of API calls by logging events to CloudWatch Logs or an external SIEM. Monitoring S3 bucket policy changes ensures that S3 bucket configurations remain secure and compliant. Amazon S3 bucket policies define access permissions for buckets. Unauthorized or accidental changes to these policies can result in:

  • Unintended public exposure of sensitive data.

  • Unauthorized access to or modification of stored objects.

  • Compliance violations leading to security risks.

This control ensures that S3 bucket policy modifications (e.g., ACL changes, policy updates, CORS, lifecycle rules, replication settings) are logged, monitored, and alerted using CloudWatch Alarms and Amazon SNS notifications.

Rationale:

Monitoring S3 bucket policy changes helps detect:

  • Unauthorized modifications that allow excessive access to S3 buckets.

  • Accidental misconfigurations that expose data to the public.

  • Security incidents involving unexpected changes to bucket permissions.

Impact:

  • Failure to monitor S3 bucket policy changes can result in:

    • Exposure of sensitive data to unauthorized users.

    • Loss of control over object access and permissions.

    • Security misconfigurations leading to compliance violations.

  • Enabling monitoring does not impact performance, but it requires AWS CloudTrail and CloudWatch costs.

Default Value:

  • AWS CloudTrail does not log S3 bucket policy changes by default.

  • CloudWatch Alarms and SNS notifications must be manually configured to monitor S3 bucket policy modifications.

Pre-Requisites:

  1. AWS CloudTrail enabled with multi-region logging.

  2. AWS CloudWatch Logs enabled and linked to CloudTrail.

  3. IAM Permissions Required:

    • cloudtrail:DescribeTrails

    • cloudtrail:GetEventSelectors

    • logs:DescribeMetricFilters

    • cloudwatch:DescribeAlarms

    • sns:ListSubscriptionsByTopic

    • logs:PutMetricFilter, cloudwatch:PutMetricAlarm, sns:CreateTopic

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Navigate to CloudTrail: AWS CloudTrail Console.


  3. Verify there is at least one multi-region CloudTrail trail enabled.

  4. Ensure CloudTrail is logging management events:

    • Click on the trail and check Event Selectors.



    • Ensure management events are set to "All".


  5. Check that CloudTrail logs are being sent to CloudWatch.

  6. Navigate to CloudWatch Logs: AWS CloudWatch Console.


  7. Ensure that a metric filter is created for S3 bucket policy changes.



  8. Check CloudWatch Alarms for alerts on S3 bucket policy modifications.



Implementation Steps:
Using AWS CLI

Step 1: Create a Metric Filter for S3 Bucket Policy Changes

aws logs put-metric-filter --log-group-name <trail-log-group-name> \
--filter-name s3-bucket-policy-changes-metric \
--metric-transformations metricName=s3-bucket-policy-changes-metric,metricNamespace="CISBenchmark",metricValue=1 \
--filter-pattern '{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }'

Step 2: Create an SNS Topic for Notifications

aws sns create-topic --name s3-bucket-policy-changes-alerts

Step 3: Subscribe to SNS Topic

aws sns subscribe --topic-arn <sns-topic-arn> --protocol email --notification-endpoint <your-email@example.com>

Step 4: Create a CloudWatch Alarm for S3 Bucket Policy Changes

aws cloudwatch put-metric-alarm --alarm-name s3-bucket-policy-changes-alarm \
--metric-name s3-bucket-policy-changes-metric --statistic Sum --period 300 \
--threshold 1 --comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 --namespace "CISBenchmark" --alarm-actions <sns-topic-arn>

Backout Plan:

  1. Delete CloudWatch Alarm:

    aws cloudwatch delete-alarms --alarm-names s3-bucket-policy-changes-alarm

  2. Remove the metric filter:

    aws logs delete-metric-filter --log-group-name <trail-log-group-name> --filter-name s3-bucket-policy-changes-metric

  3. Delete SNS topic:

    aws sns delete-topic --topic-arn <sns-topic-arn>


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

8.5

Collect detailed audit logs for security monitoring.

CIS v8

8.11

Conduct audit log reviews to detect anomalies.

CIS v7

6.3

Enable detailed logging for security monitoring.