Profile Applicability:
Level 1
Description:
AWS Server Access Logging for CloudTrail S3 buckets provides detailed records of requests made to an S3 bucket, including:
The request type (e.g., PUT, GET, DELETE).
The resources accessed.
The time and date of the request.
The source IP address of the requestor.
By enabling access logging, you ensure visibility into API activity related to CloudTrail logs, enhancing security monitoring and incident response.
Rationale:
Provides detailed logs for all access to CloudTrail S3 buckets.
Detects unauthorized access or suspicious activity.
Helps ensure compliance with CIS, SOC 2, PCI-DSS, HIPAA, and ISO 27001.
Aids in forensic analysis of security incidents.
Without S3 access logging, security teams have no way to monitor or audit access to CloudTrail logs!
Impact:
Pros:
Improves visibility into who accessed CloudTrail logs.
Helps investigate unauthorized access attempts.
Supports security auditing and compliance monitoring.
Cons:
1. Additional storage costs for logging S3 access events. Requires proper IAM permissions for logging configuration.
Default Value:
S3 Server Access Logging is NOT enabled by default. Must be manually enabled for CloudTrail S3 buckets.
Pre-Requisites:
IAM permissions required:
s3:PutBucketLogging
s3:GetBucketLogging
s3:PutBucketAcl
s3:GetBucketAcl
AWS CLI installed for automation.
Remediation:
Test Plan:
Using AWS Console
Step 1: Check if CloudTrail S3 Bucket Has Logging Enabled
Log in to the AWS Management Console
Navigate to CloudTrail Console
Click Trails in the left navigation pane
Identify the S3 bucket name where CloudTrail logs are stored
Open the S3 Console
Select the CloudTrail S3 bucket
Click Properties
Under Server Access Logging, ensure:
Logging is enabled
A Target Bucket is configured
Repeat for all AWS Regions
- If logging is enabled, no further action is needed.
- If logging is disabled, follow remediation steps.
Using AWS CLI
Step 1: Identify CloudTrail S3 Bucket
aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'
Expected Output:
[
"cloudtrail-logs-bucket"
]If output is empty, CloudTrail logging is not configured!
Step 2: Check If Logging Is Enabled on CloudTrail S3 Bucket
aws s3api get-bucket-logging --bucket <cloudtrail-logs-bucket>
Expected Output (if logging is enabled):
{
"LoggingEnabled": {
"TargetBucket": "s3-access-logs-bucket",
"TargetPrefix": "cloudtrail-logs/"
}
}If output is empty, logging is NOT enabled on the CloudTrail bucket!
Implementation Steps:
Method 1: Enable S3 Server Access Logging via AWS Console
Step 1: Enable Logging on CloudTrail S3 Bucket
Log in to the AWS Management Console
Navigate to S3 Console → AWS S3 Console
Select the CloudTrail S3 bucket
Click Properties
Under Server Access Logging, click Edit
Check "Enable Logging"
Set Target Bucket (Choose a dedicated bucket for storing logs)
Set Target Prefix (Optional, e.g., cloudtrail-logs/)
Click Save
Repeat for all AWS Regions
Method 2: Enable S3 Server Access Logging via AWS CLI
Step 1: Set Up Logging Configuration File
Create a JSON configuration file (logging-config.json):
{
"LoggingEnabled": {
"TargetBucket": "s3-access-logs-bucket",
"TargetPrefix": "cloudtrail-logs/"
}
}Step 2: Apply the Logging Configuration
aws s3api put-bucket-logging --bucket <cloudtrail-logs-bucket> --bucket-logging-status file://logging-config.json
Test successful if access logs are being generated.
Backout Plan:
- If enabling S3 access logging causes issues: Disable Logging via AWS CLI
aws s3api put-bucket-logging --bucket <cloudtrail-logs-bucket> --bucket-logging-status '{}'
Remove logging configurations via AWS Console
Go to S3 Console
Select CloudTrail S3 bucket
Navigate to Properties
Disable Logging
- Ensure disabling logging is justified before proceeding.