Profile Applicability:

Level 2

Description:

AWS S3 Object-Level API Operations (PutObject, DeleteObject, GetObject) are categorized as Data Events in AWS CloudTrail.By default, CloudTrail does not log Data Events, making it necessary to manually enable object-level logging.This control ensures that object-level logging is enabled for all S3 write operations, providing full visibility into data access and modification.

Rationale:

Enhances security monitoring: Tracks unauthorized modifications to critical data. Meets compliance requirements: Supports audits for regulations such as PCI DSS, SOC 2, ISO 27001, NIST, and CIS benchmarks.Assists in forensic investigations: Provides historical logs of object changes.Improves accountability: Helps organizations track who accessed or modified S3 data.Without object-level logging, security teams lack visibility into unauthorized data modifications or potential insider threats.

Impact:

  • Provides detailed auditing of all changes to S3 objects.

  • Helps detect unauthorized access or data leaks.

  • Supports security incident investigations.


Default Value:

  • CloudTrail does NOT log object-level API actions by default.
  • Must be manually enabled for each S3 bucket.

Pre-Requisites:

 IAM permissions required

  • cloudtrail:UpdateTrail

  • cloudtrail:GetEventSelectors

  • cloudtrail:PutEventSelectors

  • s3:PutBucketLogging

  • s3:GetBucketLogging

  • s3:PutBucketPolicy

AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check If Object-Level Logging Is Enabled in CloudTrail

  1. Login to AWS Console → Go to AWS CloudTrail

   

  1. Click Trails in the left panel

           

  1. Select the CloudTrail trail you want to check.

     

  1. Scroll to Data Events.

   

  1. Confirm the configuration:

  2. Repeat for all regions and all trails.

Using AWS CLI

Step 1: List All CloudTrail Trails

aws cloudtrail list-trails

Step 2: Verify If CloudTrail Is Multi-Region

aws cloudtrail get-trail --name <trail-name> --region <region-name>

Step 3: Check If Object-Level Logging for S3 Is Enabled

aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]

Implementation steps:

Step 1: Enable S3 Data Events in CloudTrail

  1. Login to AWS Console → Go to AWS CloudTrail

   

  1. Click Trails in the left panel

         

  1. Click on the trail name

      

  1. Click Edit under General details

   

  1. Scroll down to Data events

   

  1. Select S3 → Choose Log all events

     

  1. Click Save changes

   

Step 1: Enable Object-Level Logging for a Specific S3 Bucket

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \
    --event-selectors '[{
        "ReadWriteType": "WriteOnly",
        "IncludeManagementEvents": true,
        "DataResources": [{
            "Type": "AWS::S3::Object",
            "Values": ["arn:aws:s3:::<s3-bucket-name>/"]
        }]
    }]'

Step 2: Enable Object-Level Logging for ALL S3 Buckets

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \
    --event-selectors '[{
        "ReadWriteType": "WriteOnly",
        "IncludeManagementEvents": true,
        "DataResources": [{
            "Type": "AWS::S3::Object",
            "Values": ["arn:aws:s3"]
        }]
    }]'

This enables object-level logging for ALL current and future S3 buckets.


Backout Plan:

If enabling object-level logging causes excessive costs: Disable Object-Level Logging via AWS CLI 

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \ --event-selectors '[{ "ReadWriteType": "None", "IncludeManagementEvents": true }]'

Verify Logs Are Disabled

 aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name>
If S3 object-level logging is missing, the change is successful.


References: