Skip to main content

πŸ›‘οΈ AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled🟒

  • Contextual name: πŸ›‘οΈ Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled🟒
  • ID: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b443805a3

Description​

Open File

Description​

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Rationale​

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Impact​

Enabling logging for these object level events may significantly increase the number of events logged and may incur additional cost.

Audit​

From Console​
  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/
  2. In the left panel, click Trails and then click on the CloudTrail Name that you want to examine.
  3. Review General details.
  4. Confirm that Multi-region trail is set to Yes.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. In the AWS Cloud Trail data events section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrail button or navigating to the Cloudtrail console https://console.aws.amazon.com/cloudtrail/`.
  5. Once the Cloudtrail is selected, Select the data Data Events check box.
  6. Select S3 from the Data event type drop down.
  7. Select Log all events from the Log selector template drop down.
  8. Repeat steps 2 to 7 to enable object-level logging of write events for other S3 buckets.

From Command Line​

  1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket1no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket1no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration65no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3768no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)68no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15540no data