Profile Applicability

  • Level 1

Description:

S3 object-level logging enables the tracking of individual read requests made to objects stored in Amazon S3 buckets. This feature logs operations such as GETSELECT, and HEAD requests, providing detailed information on how objects are accessed.

Enabling object-level logging for read events helps organizations monitor and audit access to sensitive data, ensuring compliance with internal security and data protection policies. It allows tracking of who accessed which objects and when, which is crucial for detecting suspicious activity or unauthorized access to data.

Rationale:

Tracking object-level read requests provides the following benefits:

  • Visibility into access patterns and behavior for data stored in S3.

  • Auditability of who accessed specific objects, improving accountability.

  • Security monitoring to detect potential unauthorized access or data exfiltration.

  • Compliance with regulations (e.g., GDPR, HIPAA) that require detailed tracking of sensitive data access.

Without object-level logging, organizations lose the ability to track access to individual objects, which increases the risk of unauthorized access going undetected.

Impact:

Failure to enable object-level logging for read events can result in:

  • Lack of visibility into access patterns for sensitive data.

  • Inability to detect unauthorized or suspicious read operations on stored objects.

  • Non-compliance with data protection regulations that require detailed access tracking.

Default Value:

By default, S3 buckets do not have object-level logging enabled for read events. Object-level logging must be explicitly enabled through S3 bucket logging settings or via AWS Config to track read events for objects stored in the bucket.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • s3:GetBucketLogging

    • s3:PutBucketLogging

    • config:DescribeConfigurationRecorder

  • AWS Config should be enabled to track the state of S3 bucket logging

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the S3 Console.

  2. Navigate to the S3 bucket where you want to enable object-level logging.

  3. In the Properties section of the bucket, under Server access logging, ensure that Object-level logging is enabled for read events.

  4. Go to the AWS Config Console and verify that the configuration recorder is active and tracking S3 bucket logging configurations.

Using AWS CLI:

aws s3api get-bucket-logging --bucket <bucket-name> --query "LoggingEnabled" --output table

To verify if AWS Config is tracking S3 bucket logging configurations:

aws configservice describe-configuration-recorders --query "ConfigurationRecorders[?recordingGroup.allSupported==`true`].{Name:name, RecordingGroup:recordingGroup}" --output table
Implementation Plan:

Using AWS Console:

  1. Enable object-level logging for S3 buckets:

    • Go to the S3 Console.

    • Select the S3 bucket where you want to enable logging.

    • Under the Properties tab, go to Server access logging.

    • Enable logging, and ensure the Log file prefix is set to differentiate logs for the read operations.

  2. Enable AWS Config to track bucket logging configurations:

    • In the AWS Config Console, ensure the Configuration Recorder is active and tracking S3 bucket logging configurations.

Using AWS CLI:

  1. Enable object-level logging for S3 bucket:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'

  1. Enable AWS Config to monitor S3 bucket logging:

aws configservice record-configuration-changes --configuration-recorder-name <recorder-name> --include-configuration-item-types "AWS::S3::Bucket"

Backout Plan:

Using AWS Console:

  1. If object-level logging for S3 read events causes excessive logging or performance issues:

    • Go to the S3 Console.

    • Disable Server access logging for the S3 bucket.

    • Alternatively, adjust the frequency or scope of the logging configuration if it is generating too many logs.

  2. Modify AWS Config settings to exclude logging configurations if performance or resource consumption issues arise.

Using AWS CLI:

  1. Temporarily disable object-level logging:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{}'

  1. Stop recording S3 bucket logging configurations in AWS Config:

aws configservice stop-configuration-recorder --configuration-recorder-name <recorder-name>

  1. Re-enable monitoring once issues are resolved:

aws s3api put-bucket-logging --bucket <bucket-name> --bucket-logging-status '{"LoggingEnabled": {"TargetBucket": "<log-bucket-name>", "TargetPrefix": "logs/"}}'
aws configservice start-configuration-recorder --configuration-recorder-name <recorder-name>

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services