Profile Applicability

  • Level 1

Description:

CloudTrail logs are stored in an S3 bucket, and server access logging allows tracking of requests made to this S3 bucket. Enabling server access logging on the S3 bucket where CloudTrail logs are stored ensures that all requests to access these logs are captured. This is important for security auditing and detecting unauthorized access to CloudTrail logs.

Server access logs provide detailed information about the requests made to the S3 bucket, including the requester’s identity, request time, request type, and the status of the request. Enabling this feature enhances the integrity and availability of the CloudTrail logs.

Rationale:

Server access logging for S3 buckets provides the following benefits:

  • Auditability: Tracks every request made to the S3 bucket where CloudTrail logs are stored, allowing for accountability and detailed logging of access.

  • Security monitoring: Helps detect unauthorized or suspicious access to CloudTrail logs, such as attempts to delete or modify log data.

  • Compliance: Meets regulatory requirements for logging and audit trail integrity.

Without server access logging, you lose visibility into the access patterns for CloudTrail logs, increasing the risk of unauthorized tampering or data exposure.

Impact:

Failure to enable server access logging on the S3 bucket for CloudTrail logs can result in:

  • Lack of visibility into who is accessing CloudTrail logs.

  • Delayed detection of unauthorized access to log data.

  • Potential tampering with or deletion of CloudTrail logs without detection.

Enabling server access logging ensures that all access to CloudTrail logs is captured and monitored for suspicious activity.

Default Value:

By default, server access logging is not enabled for S3 buckets storing CloudTrail logs. You need to manually enable it for each CloudTrail log bucket.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • s3:GetBucketLogging

    • s3:PutBucketLogging

    • cloudtrail:DescribeTrails

  • CloudTrail should be enabled and logs should be stored in an S3 bucket

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the S3 Console.

  2. Verify that Server access logging is enabled for the S3 bucket where CloudTrail logs are stored.

  3. Go to the CloudTrail Console and ensure that logs are being stored in the S3 bucket and that server access logging is enabled for it.

Using AWS CLI:

aws s3api get-bucket-logging --bucket <bucket-name> --query "LoggingEnabled" --output table

To verify if CloudTrail is using the correct S3 bucket:

aws cloudtrail describe-trails --query "TrailList[?S3BucketName!=null].{TrailName:Name, S3BucketName:S3BucketName}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable server access logging for CloudTrail S3 bucket:

    • Go to the S3 Console.

    • Select the S3 bucket where CloudTrail logs are stored.

    • Under the Properties tab, go to Server access logging.

    • Enable logging and specify the Target bucket (you can use a separate S3 bucket to store the log files).

  2. Verify CloudTrail logging configuration:

    • Go to the CloudTrail Console.

    • Ensure CloudTrail is configured to store logs in the specified S3 bucket.

Using AWS CLI:

  1. Enable server access logging for CloudTrail S3 bucket:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'


  1. Verify CloudTrail logs:

aws cloudtrail describe-trails --query "TrailList[?S3BucketName!='null'].{TrailName:Name, S3BucketName:S3BucketName}" --output table

Backout Plan:

Using AWS Console:

  1. If server access logging causes excessive log volume or performance issues:

    • Go to the S3 Console.

    • Disable Server access logging for the S3 bucket storing CloudTrail logs.

  2. Modify CloudTrail settings to change the S3 bucket for log storage or exclude specific types of logs if needed.

Using AWS CLI:

  1. Temporarily disable server access logging:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{}'

  1. Stop CloudTrail logging if necessary:

aws cloudtrail stop-logging --name <trail-name>

  1. Re-enable server access logging once issues are resolved:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'
aws cloudtrail start-logging --name <trail-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services