Profile Applicability:
Level 1
Description:
CloudWatch Log Groups are a vital part of monitoring your AWS resources and applications. To ensure the security and privacy of logs, it's important that CloudWatch Log Groups are not publicly accessible. Logs should only be accessible by authorized users and services. It is recommended to review and modify the access policies for CloudWatch Log Groups to ensure they do not allow public access.
Rationale:
Publicly accessible CloudWatch Log Groups could expose sensitive operational data, application logs, or even debug information that may provide attackers with valuable insights into your infrastructure. Ensuring that Log Groups are private helps to maintain the confidentiality, integrity, and security of your log data.
Impact:
Positive Impact: Prevents unauthorized access to sensitive log data, reducing the risk of data exposure.
Negative Impact: May require effort to ensure that proper access controls are applied, especially when updating multiple log groups.
Default Value:
By default, CloudWatch Log Groups are not publicly accessible unless explicitly configured otherwise. However, if improper access policies are set, they could inadvertently expose sensitive information.
Pre-Requisite:
IAM Permissions: Permissions to view and modify CloudWatch Log Groups access policies.
AWS Services: CloudWatch Logs.
Tools Required: AWS Management Console, AWS CLI.
Remediation:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the CloudWatch console: AWS CloudWatch Console.
In the left navigation pane, click Log Groups.
Select the Log Group you want to audit.
Click Actions and select View permissions.
Review the permissions under the Access Control List (ACL).
Ensure that no policies grant public access (e.g., 0.0.0.0/0 or ::/0).
If public access is found, remove the associated permissions or modify the policy to restrict access to authorized users only.
Repeat for each CloudWatch Log Group in your AWS account.
Using AWS CLI:
Check the access policies for CloudWatch Log Groups using the following command:
aws logs describe-log-groups --query 'logGroups[*].logGroupName'
Get the resource-based policy for a specific Log Group:
aws logs describe-resource-policies --log-group-name <LogGroupName>
Ensure that no public access is allowed by reviewing the policy output. Look for any policies granting permissions to 0.0.0.0/0 or ::/0.
Remove or modify public access permissions using the following command:
aws logs put-resource-policy --policy-name <PolicyName> --policy-document <PolicyDocument>
Ensure the policy document restricts access to authorized users or specific IP ranges.
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to CloudWatch → Log Groups.
Select a Log Group and click Actions → View Permissions.
Review the permissions and ensure no public access is granted.
Remove or modify any public access by updating the Log Group’s permissions to restrict access.
Repeat the process for all Log Groups in your AWS account.
Using AWS CLI:
Run the describe-log-groups command to list all log groups:
aws logs describe-log-groups --query 'logGroups[*].logGroupName'
Check the access policy for a specific Log Group:
aws logs describe-resource-policies --log-group-name <LogGroupName>
Modify the policy to ensure no public access is allowed:
aws logs put-resource-policy --policy-name <PolicyName> --policy-document <PolicyDocument>
Backout Plan:
If the retention policy changes inadvertently affect access or usability, revert the access permissions by restoring previous settings.
If any Log Groups were mistakenly modified, restore the correct permissions by reapplying access controls with the appropriate restrictions.
Backup Log Groups by exporting logs if necessary before making any changes.