Profile Applicability:

  • Level 1

Description:

Object-level logging for write events in Amazon S3 tracks all write operations (e.g., PUTPOSTDELETE) made to objects within an S3 bucket. Enabling this logging is essential for auditing and tracking changes to sensitive objects in S3, such as additions, modifications, and deletions.

When object-level logging is enabled for write events, organizations gain visibility into operations that modify object data, helping to detect and respond to unauthorized changes or accidental deletions. This feature is especially important for compliance with regulatory requirements like GDPR, HIPAA, and SOC 2, where detailed tracking of data modifications is necessary.

Rationale:

Tracking write events in S3 provides the following benefits:

  • Visibility into operations that modify S3 objects.

  • Auditability of who made changes to sensitive data, enhancing accountability.

  • Security monitoring to detect unauthorized or malicious write operations.

  • Compliance with regulations requiring detailed logging of data modifications.

Without object-level logging for write events, organizations cannot track changes to objects, making it harder to detect malicious activity, accidental data loss, or unauthorized access.

Impact:

Failure to enable object-level logging for write events can result in:

  • Loss of visibility into the modification or deletion of objects.

  • Inability to track unauthorized changes to sensitive data.

  • Non-compliance with regulatory standards that require detailed data modification tracking.

Enabling this logging ensures that all write operations to objects are captured for audit purposes.

Default Value:

By default, object-level logging for write events is not enabled on S3 buckets. It must be explicitly configured through S3 bucket settings or via AWS Config to track write events such as PUTPOST, or DELETE requests.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • s3:GetBucketLogging

    • s3:PutBucketLogging

    • config:DescribeConfigurationRecorder

  • AWS Config should be enabled to track the state of S3 bucket logging

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the S3 Console.

  2. Navigate to the S3 bucket where you want to enable object-level logging for write events.

  3. In the Properties section of the bucket, under Server access logging, ensure that Object-level logging for write events is enabled.

  4. Go to the AWS Config Console and verify that the Configuration Recorder is active and tracking S3 bucket logging configurations.

Using AWS CLI:

aws s3api get-bucket-logging --bucket <bucket-name> --query "LoggingEnabled" --output table

To verify if AWS Config is tracking S3 bucket logging configurations:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable object-level logging for S3 buckets:

    • Go to the S3 Console.

    • Select the S3 bucket where you want to enable logging.

    • Under the Properties tab, go to Server access logging.

    • Enable logging, and ensure that the Log file prefix is set to differentiate logs for write operations.

  2. Enable AWS Config to track bucket logging configurations:

    • In the AWS Config Console, ensure the Configuration Recorder is active and tracking S3 bucket logging configurations.

Using AWS CLI:

  1. Enable object-level logging for S3 bucket:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'

  1. Enable AWS Config to monitor S3 bucket logging:

aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::S3::Bucket"

Backout Plan:

Using AWS Console:

  1. If object-level logging for write events causes excessive logging or performance issues:

    • Go to the S3 Console.

    • Disable Server access logging for the S3 bucket.

    • Alternatively, adjust the frequency or scope of the logging configuration if it is generating too many logs.

  2. Modify AWS Config settings to exclude logging configurations if it causes performance or resource consumption issues.

Using AWS CLI:

  1. Temporarily disable object-level logging:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{}'

  1. Stop recording S3 bucket logging configurations in AWS Config:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. Re-enable monitoring once issues are resolved:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'
aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services