Profile Applicability:

Level 2

Description:

AWS S3 Object-Level API Operations (GetObjectDeleteObjectPutObject) are categorized as Data Events in AWS CloudTrail.By default, CloudTrail does not log Data Events, so manual configuration is required to capture object-level access details.This control ensures that object-level logging is enabled for all S3 read operations, providing full visibility into data access.

Rationale:

  • Enhances security monitoring: Tracks unauthorized data access.
  • Meets compliance requirements: Supports audits for PCI DSS, SOC 2, ISO 27001, NIST, and CIS benchmarks.
  • Assists in forensic investigations: Provides historical logs of who accessed S3 data.Improves accountability: Helps organizations track data exfiltration attempts.

Impact:

  • Provides detailed auditing of all read events in S3.

  • Helps detect unauthorized access attempts.

  • Supports incident response and compliance reporting.

Default Value:

  • CloudTrail does NOT log object-level API actions by default.
  • Must be manually enabled for each S3 bucket.

Pre-Requisites:

 IAM permissions required:

  • cloudtrail:UpdateTrail

  • cloudtrail:GetEventSelectors

  • cloudtrail:PutEventSelectors

  • s3:PutBucketLogging

  • s3:GetBucketLogging

  • s3:PutBucketPolicy

AWS CLI installed for automation.

Remediation:

Test Plan:

Using AWS Console

Step 1: Check If Object-Level Logging Is Enabled in CloudTrail

  1. Login to AWS Console → Go to AWS CloudTrail

     

  1. Click Trails in the left panel

                           

  1. Select the CloudTrail trail you want to check

  1. Scroll down to Data Events

     

  1. Confirm the configuration:

  2. Repeat for all regions and all trails.

Using AWS CLI

Step 1: List All CloudTrail Trails

aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name

Step 2: Verify If CloudTrail Is Multi-Region

aws cloudtrail get-trail --name <trail-name> --region <region-name>

Step 3: Check If Object-Level Logging for S3 Is Enabled

aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]

Implementation steps:

Using AWS Console

Step 1: Enable S3 Data Events in CloudTrail

  1. Login to AWS Console → Go to AWS CloudTrail 

  1. Click Trails in the left panel

             

  1. Click on the trail name

   

  1. Click Edit under General details

   

  1. Scroll down to Data events

   

  1. Select S3 → Choose Log all events

 

  1. Click Save changes

     

Repeat for all trails in all regions.

Using AWS CLI:

Step 1: Enable Object-Level Logging for a Specific S3 Bucket

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \
    --event-selectors '[{
        "ReadWriteType": "ReadOnly",
        "IncludeManagementEvents": true,
        "DataResources": [{
            "Type": "AWS::S3::Object",
            "Values": ["arn:aws:s3:::<s3-bucket-name>/"]
        }]
    }]'

Step 2: Enable Object-Level Logging for ALL S3 Buckets

aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \
    --event-selectors '[{
        "ReadWriteType": "ReadOnly",
        "IncludeManagementEvents": true,
        "DataResources": [{
            "Type": "AWS::S3::Object",
            "Values": ["arn:aws:s3"]
        }]
    }]'

Backout Plan:

If enabling object-level logging causes excessive costs:

Disable Object-Level Logging via AWS CLI

 aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> \
    --event-selectors '[{ "ReadWriteType": "None", "IncludeManagementEvents": true }]'

Verify Logs Are Disabled

aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name>
If S3 object-level logging is missing, the change is successful.


References: