Control: 4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket
Description
Server access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that server access logging be enabled on the CloudTrail S3 bucket.
Remediation
Perform the following to enable server access logging:
From Console:
- Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
- Under
All Buckets
click on the target S3 bucket. - Click on
Properties
in the top right of the console. - Under
Server access logging
, clickEdit
. - Configure bucket logging:
- Check the
Enabled
box. - Select a Target Bucket from the list.
- Enter a Target Prefix.
- Click
Save
.
From Command Line:
- Get the name of the S3 bucket that CloudTrail is logging to:
aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName
- Copy and add the target bucket name at
<bucket-name>
, the prefix for the log file at<log-file-prefix>
and optionally add an email address in the following template, then save it as<file-name>.json
:
{ "LoggingEnabled": { "TargetBucket": "<bucket-name>", "TargetPrefix": "<log-file-prefix>", "TargetGrants": [ { "Grantee": { "Type": "AmazonCustomerByEmail", "EmailAddress": "<email-address>" }, "Permission": "FULL_CONTROL" } ] }}
- Run the
put-bucket-logging
command with bucket name and<filename>.json
as input; for more information, refer to put-bucket-logging:
Default Value:
By default, server access logging is disabled on S3 buckets, including those used for CloudTrail. Without enabling this setting, no record of access requests to the CloudTrail bucket is captured, leaving organizations without visibility into who accessed log files or how they were used.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_4_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_4_4 --share
SQL
This control uses a named query:
select t.arn as resource, case when b.logging is not null then 'ok' else 'alarm' end as status, case when b.logging is not null then t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' else t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' end as reason , t.region, t.account_idfrom aws_cloudtrail_trail t inner join aws_s3_bucket b on t.s3_bucket_name = b.namewhere t.region = t.home_region;