Control: Ensure that Object-level logging for read events is enabled for S3 bucket
Description
This rule enables object-level logging for read events for S3 buckets. Object-level logging for read events helps in identifying the requestor who performed the read operation on the S3 bucket objects.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudtrail_s3_object_read_events_audit_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudtrail_s3_object_read_events_audit_enabled --shareSQL
This control uses a named query:
with s3_selectors as( select name as trail_name, is_multi_region_trail, bucket_selector from aws_cloudtrail_trail, jsonb_array_elements(event_selectors) as event_selector, jsonb_array_elements(event_selector -> 'DataResources') as data_resource, jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector where is_multi_region_trail and data_resource ->> 'Type' = 'AWS::S3::Object' and event_selector ->> 'ReadWriteType' in ( 'ReadOnly', 'All' ))select b.arn as resource, case when count(bucket_selector) > 0 then 'ok' else 'alarm' end as status, case when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.' else b.name || ' object-level read events logging disabled.' end as reason , region, account_idfrom aws_s3_bucket as b left join s3_selectors on bucket_selector like (b.arn || '%') or bucket_selector = 'arn:aws:s3'group by b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;