Control: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Description

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudtrail_s3_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudtrail_s3_logging_enabled --share

SQL

This control uses a named query:

select
  t.arn as resource,
  case
    when b.logging is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.logging is not null then t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.'
    else t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.'
  end as reason
  
  , t.region, t.account_id
from
  aws_cloudtrail_trail t
  inner join aws_s3_bucket b on t.s3_bucket_name = b.name
where
  t.region = t.home_region;

Control: Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Description

Usage

SQL

Tags