Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudtrail >

No Public Log Access

CRITICAL
Source
Trivy
Frameworks

CIS AWS 1.2

CIS AWS 1.4

ID
AVD-AWS-0161
cloudformation terraform

The S3 Bucket backing Cloudtrail should be private

CloudTrail logs will be publicly exposed, potentially containing sensitive information. CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account’s use or configuration.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Restrict public access to the S3 bucket

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Resources:
  GoodExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: my-bucket

  GoodExampleTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName: my-bucket
      TrailName: Cloudtrail

Restrict public access to the S3 bucket

1
2
3
4
5
6
7
8

resource "aws_cloudtrail" "good_example" {
  s3_bucket_name = aws_s3_bucket.example.id
}

resource "aws_s3_bucket" "example" {
  bucket = "example"
  acl    = "private"
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use