Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

Description

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

Remediation

Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:

  1. Go to Amazon S3 console at https://console.aws.amazon.com/s3/home.
  2. Right-click on the bucket and click Properties.
  3. In the Properties pane, click the Permissions tab.
  4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
  5. Select the row that grants permission to Everyone or Any Authenticated User.
  6. Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
  7. Click Save to save the ACL.
  8. If the Edit bucket policy button is present, click it.
  9. Remove any Statement having an Effect set to Allow and a Principal set to "" or {"AWS": ""}, that doesn't also have a condition to restrict access, such as aws:PrincipalOrgID.

Default Value:

By default, S3 buckets are not publicly accessible.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v200_3_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v200_3_3 --share

SQL

This control uses a named query:

with public_bucket_data as (
-- note the counts are not exactly CORRECT because of the jsonb_array_elements joins,
-- but will be non-zero if any matches are found
select
  t.s3_bucket_name as name,
  b.arn,
  t.region,
  t.account_id,
  t.tags,
  t._ctx,
  count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AllUsers') as all_user_grants,
  count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AuthenticatedUsers') as auth_user_grants,
  count(s) filter (where s ->> 'Effect' = 'Allow' and  p = '*' ) as anon_statements
from
  aws_cloudtrail_trail as t
left join aws_s3_bucket as b on t.s3_bucket_name = b.name
left join jsonb_array_elements(acl -> 'Grants') as acl_grant on true
left join jsonb_array_elements(policy_std -> 'Statement') as s  on true
left join jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p  on true
group by
  t.s3_bucket_name,
  b.arn,
  t.region,
  t.account_id,
  t.tags,
  t._ctx
)
select
  case
    when arn is null then 'arn:aws:s3::' || name
    else arn
  end as resource,
  case
    when arn is null then 'skip'
    when all_user_grants > 0 then 'alarm'
    when auth_user_grants > 0 then 'alarm'
    when anon_statements > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when arn is null then name || ' not found in account ' || account_id || '.'
    when all_user_grants > 0 then name || ' grants access to AllUsers in ACL.'
    when auth_user_grants > 0 then name || ' grants access to AuthenticatedUsers in ACL.'
    when anon_statements > 0 then name || ' grants access to AWS:*" in bucket policy.'
    else name || ' does not grant anonymous access in ACL or bucket policy.'
  end as reason
  
  , region, account_id
from
  public_bucket_data;

Tags

category = Compliance
cis = true
cis_item_id = 3.3
cis_level = 1
cis_section_id = 3
cis_type = automated
cis_version = v2.0.0
plugin = aws
service = AWS/CloudTrail