Profile Applicability:

  • Level 1


Description:
This control ensures that Amazon S3 object-level (data event) logging for write events is enabled in AWS CloudTrail. Enabling this captures detailed write operations such as PutObject, DeleteObject, and CopyObject on S3 buckets. This provides visibility into modifications made to objects and helps detect unauthorized or unexpected changes to stored data.


Rationale:
S3 object-level write event logging provides valuable insights into data modification activities. It helps detect unauthorized uploads, deletions, or overwrites that could indicate malicious behavior or misconfigurations. Logging these actions supports security investigations, operational monitoring, and compliance with frameworks such as ISO 27001, SOC 2, and GDPR by ensuring all data changes are auditable.


Impact:
Positive Impact: Improves accountability and traceability of data changes, supports regulatory compliance, and strengthens incident detection.
Negative Impact: Increased CloudTrail and S3 costs due to the additional volume of object-level logs.


Default Value:
By default, AWS CloudTrail records only management events, not object-level write events. Manual configuration is required to enable this.


Pre-Requisite:

  • CloudTrail must be enabled and actively logging events.
  • The CloudTrail trail must be configured to capture data events.
  • IAM permissions required:
    • cloudtrail:UpdateTrail
    • cloudtrail:GetEventSelectors
    • cloudtrail:PutEventSelectors


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudTrail → Trails.
  3. Select the relevant trail.
  4. Under Data events, check if Write events for S3 buckets are enabled.
  5. Verify that Data event logging is configured for either all S3 buckets or specific ones.
  6. Confirm that Write events (PutObject, DeleteObject, CopyObject) are being logged.
  7. If no write events are enabled, the configuration is non-compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to the AWS CloudTrail Console.
  2. Go to Trails → [Your Trail Name].
  3. Under the General details section, click Edit.
  4. In the Event type section, enable Data events.
  5. Select S3 as the data resource type.
  6. Choose to log for All current and future S3 buckets or specify the required buckets.
  7. Under Read/Write events, select Write.
  8. Click Save changes.
  9. Verify that the trail configuration now includes S3 object-level write events.


Backout Plan

Using AWS Console:

  1. Go to AWS CloudTrail Console → Trails.
  2. Select the trail currently logging write events for S3 buckets.
  3. Click Edit.
  4. Under Event type → Data events, deselect Write for S3.
  5. Click Save changes to disable object-level write event logging.


References: