Profile Applicability:

  • Level 1


Description:
This control ensures that Amazon S3 access logging is enabled on the S3 bucket used to store AWS CloudTrail logs. Access logging provides detailed records for requests made to the bucket, helping organizations track access patterns, detect unauthorized access, and support forensic investigations. These logs should ideally be delivered to a separate, dedicated S3 bucket (often called a logging bucket) to prevent log overwriting or recursive logging.


Rationale:
Enabling access logging for the CloudTrail S3 bucket provides an additional layer of visibility into who accessed or attempted to access CloudTrail log files. This helps detect unauthorized or suspicious activity and supports compliance with audit and regulatory frameworks such as ISO 27001, SOC 2, and HIPAA. Without access logs, detecting unauthorized downloads, data tampering, or exfiltration attempts becomes difficult.


Impact:
Positive Impact: Enhances visibility into access patterns and improves forensic and compliance capabilities.
Negative Impact: Slight increase in S3 storage costs for storing access logs and minimal processing overhead.


Default Value:
By default, S3 access logging is disabled for all buckets, including those used by CloudTrail.


Pre-Requisite:

  • AWS CloudTrail must be enabled and configured to deliver logs to an S3 bucket.

  • An S3 bucket (the target logging bucket) must exist to store access logs.

  • IAM permissions required:

    • s3:PutBucketLogging

    • s3:GetBucketLogging

    • s3:GetBucketAcl

    • s3:PutBucketAcl


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to S3 → Buckets.

  3. Select the CloudTrail log bucket (e.g., my-org-cloudtrail-logs).

  4. Click the Properties tab.

  5. Scroll to the Server access logging section.

  6. Verify that Server access logging is Enabled.

    • Confirm that logs are being delivered to a different S3 bucket (the logging bucket).

  7. If logging is disabled, the bucket is non-compliant.


Implementation Plan

Using AWS Console:

  1. Go to the AWS S3 Console → Buckets.

  2. Select the CloudTrail log bucket.

  3. Click the Properties tab.

  4. Under Server access logging, click Edit.

  5. Select Enable.

  6. Under Target bucket, choose or create a separate bucket to store access logs (e.g., my-org-s3-access-logs).

  7. (Optional) Specify a Target prefix (e.g., cloudtrail-logs/) to organize logs within the target bucket.

  8. Click Save changes.

  9. Confirm that the Server access logging status now shows as Enabled.


Backout Plan

Using AWS Console:

  1. Go to the AWS S3 Console → Buckets.

  2. Select the CloudTrail log bucket.

  3. Click the Properties tab.

  4. Under Server access logging, click Edit.

  5. Uncheck Enable and click Save changes to disable access logging.

  6. (Optional) Remove or archive existing access logs in the target bucket if not needed.


References: