Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > S3 >

Enable Logging

LOW
Source
Trivy/CSPM
CSPM ID
s3-bucket-logging
ID
AVD-AWS-0089
cloudformation management_console terraform

S3 Bucket Logging

Ensures S3 bucket logging is enabled for S3 buckets

Impact

Follow the appropriate remediation steps below to resolve the issue.

Add a logging block to the resource to enable access logging

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

Resources:
  GoodExample:
    Type: AWS::S3::Bucket
    Properties:
      LoggingConfiguration:
        DestinationBucketName: !Ref TestLoggingBucket
        LogFilePrefix: accesslogs/

  TestLoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: LogDeliveryWrite

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for S3. Step

  3. Scroll down the left navigation panel and choose “Buckets”.Step

  4. Select the “Bucket” that needs to be verified and click on its identifier(name) from the “Bucket name” column.Step

  5. Click on the “Properties” tab on the top menu. Step

  6. Check the “Server access logging” option under “Properties” and if it’s set to “Disabled” then S3 bucket logging is not enabled for the selected S3 bucket. Step

  7. To enable Server access logging click on the “Edit” button under “Server access logging” option. On the “Edit server access logging” page select “Enable” and choose the “Target bucket” from the dropdown menu for storing the logs.Step

  8. Click on the “Save changes” button to make the necessary changes. Step

  9. Repeat steps number 4 - 8 to enable “Logging” for other S3 buckets.

Add a logging block to the resource to enable access logging

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

resource "aws_s3_bucket" "this" {
  bucket = "test-bucket"
  logging {
    target_bucket = aws_s3_bucket.log_bucket.id
    target_prefix = "log/"
  }
}

resource "aws_s3_bucket" "log_bucket" {
  bucket = "test-log-bucket"
}

resource "aws_s3_bucket_acl" "log_bucket" {
  acl    = "log-delivery-write"
  bucket = aws_s3_bucket.log_bucket.id
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

resource "aws_s3_bucket" "this" {
  bucket = "test-bucket"
}

resource "aws_s3_bucket_logging" "this" {
  bucket        = aws_s3_bucket.this.id
  target_bucket = aws_s3_bucket.log_bucket.id
  target_prefix = "log/"
}

resource "aws_s3_bucket" "log_bucket" {
  bucket = "test-log-bucket"
}

resource "aws_s3_bucket_acl" "log_bucket" {
  acl    = "log-delivery-write"
  bucket = aws_s3_bucket.log_bucket.id
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use