MEDIUM
Source
Trivy/CSPM
CSPM ID
s3-bucket-logging
ID
AVD-AWS-0089

S3 Bucket does not have logging enabled.

Buckets should have logging enabled so that access can be audited.

Impact

There is no way to determine the access to this bucket

Follow the appropriate remediation steps below to resolve the issue.

Add a logging block to the resource to enable access logging

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      LoggingConfiguration:
        DestinationBucketName: logging-bucket
        LogFilePrefix: accesslogs/
    Type: AWS::S3::Bucket
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for S3. Step
  3. Scroll down the left navigation panel and choose “Buckets”.Step
  4. Select the “Bucket” that needs to be verified and click on its identifier(name) from the “Bucket name” column.Step
  5. Click on the “Properties” tab on the top menu. Step
  6. Check the “Server access logging” option under “Properties” and if it’s set to “Disable logging” then S3 bucket logging is not enabled for the selected S3 bucket. Step
  7. Repeat steps number 2 - 6 to verify other S3 buckets in the region.
  8. Select the “S3 bucket” on which “Logging” needs to be enabled and click on the “Properties” tab. Step
  9. Click on the “Enable logging” option under “Server access logging” and choose the “Target bucket” from the dropdown menu for storing the logs and provide a unique name under “Target prefix” for the subdirectory where S3 logs will be stored. Step
  10. Click on the “Save” button to make the necessary changes. Step
  11. Repeat steps number 8 - 10 to enable “Logging” for other S3 buckets

Add a logging block to the resource to enable access logging

1
2
3
4
5
resource "aws_s3_bucket" "good_example" {
  logging {
    target_bucket = "target-bucket"
  }
}