Control: 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
Description
CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.
Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.
Remediation
Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
- Go to Amazon S3 console at https://console.aws.amazon.com/s3/home.
- Right-click on the bucket and click Properties.
- In the
Properties
pane, click thePermissions
tab. - The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
- Select the row that grants permission to
Everyone
orAny Authenticated User
. - Uncheck all the permissions granted to
Everyone
orAny Authenticated User
(clickx
to delete the row). - Click
Save
to save the ACL. - If the
Edit bucket policy
button is present, click it. - Remove any
Statement
having anEffect
set toAllow
and aPrincipal
set to "" or {"AWS": ""}, that doesn't also have a condition to restrict access, such asaws:PrincipalOrgID
.
Default Value:
By default, S3 buckets are not publicly accessible.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v200_3_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v200_3_3 --share
SQL
This control uses a named query:
cloudtrail_bucket_not_public