v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Description

AWS S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation

Perform the following to enable S3 bucket logging:

From Console

  1. Open the Amazon S3 console at S3.
  2. Choose the bucket used for CloudTrail.
  3. Choose Properties.
  4. Choose Server access logging.
  5. Choose Edit, then select Enable.
  6. Select a bucket from the Target bucket list, and optionally enter a prefix.
  7. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v140_3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v140_3_6 --share

SQL

This control uses a named query:

cloudtrail_s3_logging_enabled

Tags

category = Compliance
cis = true
cis_item_id = 3.6
cis_level = 1
cis_section_id = 3
cis_type = automated
cis_version = v1.4.0
plugin = aws
service = AWS/CloudTrail