Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Remediation

From Console:

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. In the AWS Cloud Trail data events' section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrail button or navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/
  5. Once the Cloudtrail is selected, Select the data Data Events check box.
  6. Select S3 from the `Data event type drop down.
  7. Select Log all events from the Log selector template drop down.
  8. Repeat steps 2 to 5 to enable object-level logging of write events for other S3 buckets.

From Command Line:

  1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
  1. The command output will be object-level event trail configuration.
  2. If you want to enable it for all buckets at once then change Values parameter to ["arn:aws:s3"] in command given above.
  3. Repeat step 1 for each s3 bucket to update object-level logging of write events.
  4. Change the AWS region by updating the --region command parameter and perform the process for other regions.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v300_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v300_3_8 --share

SQL

This control uses a named query:

with s3_selectors as
(
  select
    name as trail_name,
    is_multi_region_trail,
    bucket_selector
  from
    aws_cloudtrail_trail,
    jsonb_array_elements(event_selectors) as event_selector,
    jsonb_array_elements(event_selector -> 'DataResources') as data_resource,
    jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector
  where
    is_multi_region_trail
    and data_resource ->> 'Type' = 'AWS::S3::Object'
    and event_selector ->> 'ReadWriteType' in
    (
      'WriteOnly',
      'All'
    )
)
select
  b.arn as resource,
  case
    when count(bucket_selector) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.'
    else b.name || ' object-level write events logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_s3_bucket as b
  left join
    s3_selectors
    on bucket_selector like (b.arn || '%')
    or bucket_selector = 'arn:aws:s3'
group by
  b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;

Tags

category = Compliance
cis = true
cis_item_id = 3.8
cis_level = 2
cis_section_id = 3
cis_type = automated
cis_version = v3.0.0
plugin = aws
service = AWS/S3