
Control: 3.8 Ensure that Object-level logging for write events is enabled for S3 buckets


S3 object-level API operations, such as GetObject, DeleteObject, and PutObject, are referred to as data events. By default, CloudTrail trails do not log data events, so it is recommended to enable object-level logging for S3 buckets.

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analyses, monitor specific patterns of user behavior in your AWS account, or take immediate actions on any object-level API activity within your S3 buckets using Amazon CloudWatch Events.


From Console

  1. Login to the AWS Management Console and navigate to the S3 dashboard at https://console.aws.amazon.com/s3/.
  2. In the left navigation panel, click buckets, and then click the name of the S3 bucket you want to examine.
  3. Click the Properties tab to see the bucket configuration in detail.
  4. In the AWS CloudTrail data events section, select the trail name for recording activity. You can choose an existing trail or create a new one by clicking the Configure in CloudTrail button or navigating to the CloudTrail console.
  5. Once the trail is selected, select the Data Events check box.
  6. Select S3 from the Data event type drop-down.
  7. Select Log all events from the Log selector template drop-down.
  8. Repeat steps 2-7 to enable object-level logging of write events for other S3 buckets.

From Command Line

  1. To enable object-level data events logging for S3 buckets within your AWS account, run the put-event-selectors command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
  1. The command output will be object-level event trail configuration.
  2. If you want to enable it for all buckets at once, change the Values parameter to ["arn:aws:s3"] in the previous command.
  3. Repeat step 1 for each s3 bucket to update object-level logging of write events.
  4. Change the AWS region by updating the --region command parameter, and perform the process for the other regions.


Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_3_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_3_8 --share


This control uses a named query:

with s3_selectors as
name as trail_name,
jsonb_array_elements(event_selectors) as event_selector,
jsonb_array_elements(event_selector -> 'DataResources') as data_resource,
jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector
and data_resource ->> 'Type' = 'AWS::S3::Object'
and event_selector ->> 'ReadWriteType' in
b.arn as resource,
when count(bucket_selector) > 0 then 'ok'
else 'alarm'
end as status,
when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.'
else b.name || ' object-level write events logging disabled.'
end as reason
, region, account_id
aws_s3_bucket as b
left join
on bucket_selector like (b.arn || '%')
or bucket_selector = 'arn:aws:s3'
group by
b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;
