Skip to main content

πŸ›‘οΈ AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled🟒

  • Contextual name: πŸ›‘οΈ Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled🟒
  • ID: /ce/ca/aws/account/object-level-cloudtrail-logging-for-read-events-for-buckets
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b443805a3

Description​

Open File

Description​

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails do not log data events, so it is recommended to enable object-level logging for S3 buckets.

Rationale​

Enabling object-level logging helps you meet data compliance requirements, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account, and take immediate actions on object-level API activity within your S3 buckets using Amazon CloudWatch Events.

Impact​

Enabling logging for these object-level events may significantly increase the number of events logged and may incur additional cost.

Audit​

From Console​
  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/
  2. In the left panel, click Trails and then click on the CloudTrail Name that you want to examine.
  3. Review General details.
  4. Confirm that Multi-region trail is set to Yes.
  5. Scroll down to Data events and confirm the configuration:

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. In the AWS Cloud Trail data events section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrail button or navigating to the Cloudtrail console https://console.aws.amazon.com/cloudtrail/`.
  5. Once the Cloudtrail is selected, Select the data Data Events check box.
  6. Select S3 from the Data event type drop down.
  7. Select Log all events from the Log selector template drop down.
  8. Repeat steps 2 to 7 to enable object-level logging of read events for other S3 buckets.

From Command Line​

  1. To enable object-level data events logging for S3 buckets within your AWS account, run the put-event-selectors command using the name of the trail that you want to reconfigure as the identifier:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket1no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket1no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.11 Ensure that Object-level logging for read events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.9 Ensure that Object-level logging for read events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.9 Ensure that object-level logging for read events is enabled for S3 buckets (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration77no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties133no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15559no data