Enable Object Write Logging | Vulnerability Database

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don’t log data events and so it is recommended to enable Object-level logging for S3 buckets.

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Impact

Difficult/impossible to audit bucket object/data changes.

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable Object-level logging for S3 buckets.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


resource "aws_s3_bucket" "good_example" {
	bucket = "my-bucket"
}

resource "aws_cloudtrail" "example" {
  event_selector {
    read_write_type           = "WriteOnly" # or "All"
    data_resource {
      type = "AWS::S3::Object"
      values = ["arn:aws:s3:::${aws_s3_bucket.good_example.bucket}/"]
    }
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning