iCompaas Support

Profile Applicability:

• Level 1

Description:

This control ensures that Amazon S3 Server Access Logging is enabled for all S3 buckets that store critical or sensitive data. Server Access Logging provides detailed records of requests made to a bucket — including the requester, bucket name, request type, response status, and error codes. These logs are invaluable for auditing, security investigations, and compliance verification.

Rationale:

Server access logs allow organizations to:

• Monitor and analyze access patterns to detect unusual or unauthorized activity.

• Investigate incidents involving data exfiltration or policy violations.

• Meet compliance requirements for access auditing (e.g., SOC 2, ISO 27001, GDPR).

Without access logging, any unauthorized or anomalous access to bucket data may go undetected, increasing security and compliance risks.

Impact:

• Positive Impact:Enables detailed audit trails for forensic and compliance investigations.Improves visibility into data access and usage behavior.Facilitates proactive threat detection and access anomaly identification.
• Negative Impact:Increases S3 storage costs for logs.Requires management of log destination buckets to prevent circular logging.

Default Value:

By default, S3 Server Access Logging is disabled. It must be explicitly enabled for each S3 bucket.

Pre-Requisite:

• IAM permissions required:

  • s3:GetBucketLogging

  • s3:PutBucketLogging

  • s3:ListAllMyBuckets

• A designated target logging bucket with write permissions from the source bucket.

  • The logging bucket should not be the same as the source bucket (to prevent recursive logging).

Remediation

Test Plan

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon S3 → Buckets.

3. Select a bucket.

4. Under the Properties tab, scroll to Server access logging.

5. Check whether logging is Enabled.

6. If disabled, note the bucket name and follow the implementation steps to enable it.

Implementation Plan

Using AWS Console:

1. Navigate to Amazon S3 → Buckets.

2. Select the source bucket for which you want to enable logging.

3. Go to the Properties tab.

4. Scroll to Server access logging and click Edit.

5. Enable Server access logging.

6. Under Target bucket, choose a different S3 bucket to store the access logs.

   • (If necessary, create a new bucket such as s3-access-logs.)

7. Optionally, specify a Target prefix (e.g., logs/) for log organization.

8. Click Save changes.

Backout Plan

Using AWS Console:

1. Navigate to Amazon S3 → Buckets → [Your Bucket] → Properties.

2. Scroll to Server access logging.

3. Click Edit, and disable Server access logging.

4. Save changes.

References:

• Amazon S3 Server Access Logging Documentation

• AWS CLI Command Reference – s3api put-bucket-logging

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.22

• AWS S3 Security Best Practices