Profile Applicability:

Level 1

Description:

AWS Lightsail provides storage buckets that may contain sensitive data. Enabling access logging for these buckets is crucial to track and monitor access requests. By enabling access logging, you can record requests made to your Lightsail storage buckets, allowing you to monitor activity, identify potential security risks, and ensure compliance with data access policies.

Rationale:

Enabling access logging for Lightsail buckets ensures that:

  • You can track all access requests to your storage buckets.

  • You are able to identify and audit unauthorized access or suspicious activities.

  • Access logs help with troubleshooting and provide insights into usage patterns.

Default Value:

By default, access logging is not enabled on Lightsail buckets. It must be manually configured to capture access logs.

Impact:

  • Pros:

    • Enhanced security by monitoring all access to storage buckets.

    • Improved auditing and compliance with internal security policies and regulations.

    • Quick identification of unauthorized access attempts.

  • Cons:

    • Logs can quickly grow in size, leading to storage costs for log storage.

    • Requires periodic log analysis to ensure that no suspicious activity is missed.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail under Storage.

  3. Go to Buckets and select the bucket for which you want to enable access logging.

  4. In the Permissions tab, look for the Logging section.

  5. Enable Access Logging and specify a destination bucket where the logs will be stored.

  6. Confirm the changes and ensure that the access logs are now being generated.

Using AWS CLI:

  1. Run the following command to enable logging for your Lightsail bucket:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --logging-enabled --log-destination-bucket <log-destination-bucket-name>

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail and select Buckets under Storage.

  3. Review the Permissions tab for the selected bucket.

  4. Enable Access Logging by choosing a destination bucket to store the logs.

  5. Verify that the logs are being created and stored in the destination bucket.

Using AWS CLI:

  1. To enable access logging, run the following command:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --logging-enabled --log-destination-bucket <log-destination-bucket-name>

Backout Plan:

Using AWS Console:

  1. If logging is incorrectly configured, log in to the AWS Console.

  2. Navigate to Lightsail and go to Buckets under Storage.

  3. Select the affected bucket and go to the Permissions tab.

  4. Disable Access Logging or configure the settings as required.

Using AWS CLI:

  1. If logging needs to be disabled, run the following command:

    aws lightsail update-bucket-access --bucket-name <bucket-name> --logging-disabled

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.4

Enable access logging for Lightsail buckets to monitor access requests and track usage.

v7

14.2

Implement logging for all Lightsail bucket access to ensure security and compliance with data access policies.