CloudTrail Bucket Delete Policy

Quick Info

Plugin TitleCloudTrail Bucket Delete Policy
DescriptionEnsures CloudTrail logging bucket has a policy to prevent deletion of logs without an MFA token
More InfoTo provide additional security, CloudTrail logging buckets should require an MFA token to delete objects
AWS Link
Recommended ActionEnable MFA delete on the CloudTrail bucket

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for “CloudTrail”.
  3. In the “Dashboard” panel click on “View trails” button.
  4. Select the “trail” that needs to be verified under “Name” column.
  5. Scroll down and under the “Storage location” option check the S3 bucket used to store log data.
  6. Go to “Services” and search for “S3” to go into S3 buckets dashboard.
  7. Select the “S3 bucket” used to store data log in CloudTrail.
  8. Enabling MFA using AWS Management Console is not supported as of now. MFA can be enabled using AWS API. Configure “AWS CLI” with your own “AWS Key Id” and “AWS Secret Key” as well as configure MFA for your root account.
  9. Follow the commands to “Enable MFA”.
  10. To list buckets in AWS account: aws s3api list-buckets –query ‘Buckets[*].Name’
  11. To verify if the selected “CloudTrail bucket” has object versioning enabled : aws s3api get-bucket-versioning –bucket shukla008
  12. To enable “MFA Delete” and “Versioning” of the selected “CloudTrail bucket” : aws s3api put-bucket-versioning –bucket shukla008 –versioning-configuration Status=Enabled,MFADelete=Enabled –mfa ‘arn:aws:iam::10260454563607:mfa/root-account-mfa-device 531098’
  13. To verify if “MFA Delete” and “Versioning” of the selected “CloudTrail bucket” is enabled. It returns output as Enabled Enabled if “MFA and Versioning” are “Enabled” : aws s3api get-bucket-versioning –bucket shukla00
  14. To list select “CloudTrail bucket” object versions : aws s3api list-object-versions –bucket shukla008
  15. To examine try and delete the S3 object version without “MFA” token : aws s3api delete-object –bucket shukla008 –version-id “HBU7m.mOKZhxuXXDl5Y9c1Iu6.XWQkxu” –key demo.txt
  16. MFA Delete is enabled on selected “CloudTrail bucket”.