Require Bucket Access Logging | Vulnerability Database

You should enable bucket access logging on the CloudTrail S3 bucket.

Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable access logging on the bucket

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


Resources:
  GoodExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-bucket
      LoggingConfiguration:
        DestinationBucketName: logging-bucket
        LogFilePrefix: accesslogs/

  GoodExampleTrail:
    Type: AWS::CloudTrail::Trail
    Properties:
      IsLogging: true
      S3BucketName: my-bucket
      TrailName: Cloudtrail

Enable access logging on the bucket

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


resource "aws_cloudtrail" "good_example" {
  is_multi_region_trail = true
  s3_bucket_name        = "abcdefgh"

  event_selector {
    read_write_type           = "All"
    include_management_events = true

    data_resource {
      type   = "AWS::S3::Object"
      values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
    }
  }
}

resource "aws_s3_bucket" "good_example" {
  bucket = "abcdefgh"
  logging {
    target_bucket = "target-bucket"
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail