Skip to main content

πŸ›‘οΈ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟒

  • Contextual name: πŸ›‘οΈ S3 Bucket Access Logging is not enabled.🟒
  • ID: /ce/ca/aws/cloudtrail/s3-bucket-access-logging
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-e00143332

Description​

Open File

Description​

Server access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that server access logging be enabled on the CloudTrail S3 bucket.

Rationale​

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Audit​

Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:

From Console​
  1. Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/home.
  2. In the API activity history pane on the left, click Trails.
  3. In the Trails pane, note the bucket names in the S3 bucket column.
  4. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.

... see more

Remediation​

Open File

Remediation​

Perform the following to enable S3 bucket logging:

From Console​

  1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
  2. Under All Buckets click on the target S3 bucket.
  3. Click on Properties in the top right of the console.
  4. Under Bucket: <s3_bucket_for_cloudtrail> click on Logging.
  5. Configure bucket logging:
    • Click on the Enabled checkbox.
    • Select Target Bucket from list.
    • Enter a Target Prefix.
  6. Click Save.

From Command Line​

  1. Get the name of the S3 bucket that CloudTrail is logging to:
aws cloudtrail describe-trails --region <region-name> --query trailList[*].S3BucketName
  1. Copy and add target bucket name at <Logging_BucketName>, Prefix for logfile at <LogFilePrefix> and optionally add an email address in the following template and save it as <FileName.Json>:
{ 
    "LoggingEnabled": { 
        "TargetBucket": "<Logging_BucketName>", 
        "TargetPrefix": "<LogFilePrefix>", 
        "TargetGrants": [ 

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;1922no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό h. audit logging and monitoring of access to information assets by all users;89no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.9] S3 general purpose buckets should have server access logging enabled12no data
πŸ’Ό CIS AWS v1.2.0 β†’ πŸ’Ό 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket1no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket1no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket1no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket - Level 1 (Automated)1no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 3.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Manual)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration72no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)728no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62037no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-10 Non-repudiation (H)12no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)1618no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)270no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)222no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)437no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4853no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)20no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)122no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)28no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)134no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)237no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-11 Audit Record Retention (L)(M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)70no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)222no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)221no data
πŸ’Ό GDPR β†’ πŸ’Ό Art. 30 Records of processing activities23no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1518no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated2933no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations1519no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1824no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria1922no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources60no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events45no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations37no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities52no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging22no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents31no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated25no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AU-2 AUDIT EVENTS434no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1418no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1721no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31334no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-10 Non-repudiation512no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44770no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring622no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3 Configuration Change Control81737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic29no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4(20) System Monitoring _ Privileged Users8no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events13no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7630no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.729no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7129no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data