Skip to main content

πŸ“ AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟒

  • Contextual name: πŸ“ Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟒
  • ID: /ce/ca/aws/account/object-level-cloudtrail-logging-for-write-events-for-buckets
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-b443805a3

Logic​

Description​

Open File

Description​

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.

Rationale​

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Impact​

Enabling logging for these object level events may significantly increase the number of events logged and may incur additional cost.

Audit​

From Console​
  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/
  2. In the left panel, click Trails and then click on the CloudTrail Name that you want to examine.
  3. Review General details.
  4. Confirm that Multi-region trail is set to Yes.

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. In the AWS Cloud Trail data events section select the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by slicking the Configure in Cloudtrail button or navigating to the Cloudtrail console https://console.aws.amazon.com/cloudtrail/`.
  5. Once the Cloudtrail is selected, Select the data Data Events check box.
  6. Select S3 from the Data event type drop down.
  7. Select Log all events from the Log selector template drop down.
  8. Repeat steps 2 to 7 to enable object-level logging of write events for other S3 buckets.

From Command Line​

  1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket1
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket1
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.10 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.8 Ensure that Object-level logging for write events is enabled for S3 bucket - Level 2 (Automated)1
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.8 Ensure that object-level logging for write events is enabled for S3 buckets (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15417