Profile Applicability:

  • Level 1


Description:
This control ensures that Amazon S3 object-level (data event) logging for read events is enabled in AWS CloudTrail. Enabling object-level logging allows tracking of detailed operations such as GetObject, HeadObject, and ListObjects on S3 buckets. These logs help monitor access to individual objects, detect potential data exfiltration attempts, and provide granular visibility into user activity for audit and compliance purposes.


Rationale:
S3 object-level logging enhances visibility into data access patterns by recording every read operation at the object level. This is crucial for identifying unauthorized data access, monitoring insider threats, and meeting compliance requirements such as SOC 2, ISO 27001, and GDPR. Without this logging, it is impossible to detect when and by whom an object was accessed or downloaded.


Impact:
Positive Impact: Improves security visibility, supports forensic analysis, and enhances compliance with data protection frameworks.
Negative Impact: Increases CloudTrail and S3 costs due to the higher volume of generated logs.


Default Value:
By default, AWS CloudTrail records management events only, not object-level data events for S3 buckets. Object-level logging must be manually enabled.


Pre-Requisite:

  • CloudTrail must be enabled in all regions.
  • CloudTrail trails must be configured to record data events.
  • IAM permissions required:
    • cloudtrail:UpdateTrail
    • cloudtrail:GetEventSelectors
    • cloudtrail:PutEventSelectors


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudTrail → Trails.
  3. Select an existing trail.
  4. Under the Event data stores or Data events section, check if Read events for S3 are enabled.
  5. Verify that Data event logging is configured for the required S3 bucket(s) and that Read events (GetObject, HeadObject) are selected.
  6. If no S3 buckets or read events are listed, the configuration is non-compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to the AWS CloudTrail Console.
  2. Select Trails → [Your Trail Name].
  3. In the General details section, click Edit.
  4. Under Event type, select Data events.
  5. Choose S3 bucket as the data resource type.
  6. Select the specific S3 bucket(s) for which you want to enable logging, or choose All current and future S3 buckets.
  7. Under Read/Write events, select Read (to log object-level read events).
  8. Click Save changes.
  9. Confirm that the selected trail now records S3 object-level read events.


Backout Plan

Using AWS Console:

  1. Go to the AWS CloudTrail Console → Trails.
  2. Select the trail where object-level read event logging is enabled.
  3. Click Edit.
  4. Under Event type → Data events, deselect Read for S3 buckets.
  5. Click Save changes to disable object-level read event logging.


References: