Description
Server access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that server access logging be enabled on the CloudTrail S3 bucket.
Rationaleβ
By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.
Auditβ
Perform the following ensure the CloudTrail S3 bucket has access logging is enabled:
From Consoleβ
- Go to the Amazon CloudTrail console at https://console.aws.amazon.com/cloudtrail/home.
- In the API activity history pane on the left, click
Trails. - In the Trails pane, note the bucket names in the
S3 bucketcolumn. - Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
- Under
All Bucketsclick on atarget S3 bucket. - Click on
Propertiesin the top right of the console. - Under
Bucket: <bucket_name>click onLogging. - Ensure
Enabledis checked.
From Command Lineβ
- Get the name of the S3 bucket that CloudTrail is logging to:
aws cloudtrail describe-trails --query 'trailList[*].S3BucketName'
- Ensure Bucket Logging is enabled:
aws s3api get-bucket-logging --bucket <s3_bucket_for_cloudtrail>
Ensure command does not return empty output.
Sample Output for a bucket with logging enabled:
{
"LoggingEnabled": {
"TargetPrefix": "<log-file-prefix>",
"TargetBucket": "<logging-bucket>"
}
}
Default Valueβ
Logging is disabled.