AWS CloudTrail S3 Bucket Has Access Logging Enabled - Panther Docs

Docs Home Panther.com Release Notes Demo Request

Search…

Data Sources & Transports

Writing Detections

Cloud Security Scanning

Enrichment (Beta)

System Configuration

Built-in Policies

AWS CloudTrail Is Enabled In All Regions

AWS CloudTrail Sending To CloudWatch Logs

AWS KMS CMK Key Rotation Is Enabled

AWS Application Load Balancer Has Web ACL

AWS Access Keys Are Used Every 90 Days

AWS Access Keys are Rotated Every 90 Days

AWS ACM Certificate Is Not Expired

AWS Access Keys not Created During Account Creation

AWS CloudTrail Has Log Validation Enabled

AWS CloudTrail S3 Bucket Has Access Logging Enabled

AWS CloudTrail Logs S3 Bucket Not Publicly Accessible

AWS Config Is Enabled for Global Resources

AWS DynamoDB Table Has Autoscaling Targets Configured

AWS DynamoDB Table Has Autoscaling Enabled

AWS DynamoDB Table Has Encryption Enabled

AWS EC2 AMI Launched on Approved Host

AWS EC2 AMI Launched on Approved Instance Type

AWS EC2 AMI Launched With Approved Tenancy

AWS EC2 Instance Has Detailed Monitoring Enabled

AWS EC2 Instance Is EBS Optimized

AWS EC2 Instance Running on Approved AMI

AWS EC2 Instance Running on Approved Instance Type

AWS EC2 Instance Running in Approved VPC

AWS EC2 Instance Running On Approved Host

AWS EC2 Instance Running With Approved Tenancy

AWS EC2 Instance Volumes Are Encrypted

AWS EC2 Volume Is Encrypted

AWS GuardDuty is Logging to a Master Account

AWS GuardDuty Is Enabled

AWS IAM Group Has Users

AWS IAM Policy Blocklist Is Respected

AWS IAM Policy Does Not Grant Full Administrative Privileges

AWS IAM Policy Is Not Assigned Directly To User

AWS IAM Policy Role Mapping Is Respected

AWS IAM User Has MFA Enabled

AWS IAM Password Used Every 90 Days

AWS Password Policy Enforces Complexity Guidelines

AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less

AWS Password Policy Prevents Password Reuse

AWS RDS Instance Is Not Publicly Accessible

AWS RDS Instance Snapshots Are Not Publicly Accessible

AWS RDS Instance Has Storage Encrypted

AWS RDS Instance Has Backups Enabled

AWS RDS Instance Has High Availability Configured

AWS Redshift Cluster Allows Version Upgrades

AWS Redshift Cluster Has Encryption Enabled

AWS Redshift Cluster Has Logging Enabled

AWS Redshift Cluster Has Correct Preferred Maintenance Window

AWS Redshift Cluster Has Sufficient Snapshot Retention Period

AWS Resource Has Minimum Number of Tags

AWS Resource Has Required Tags

AWS Root Account Has MFA Enabled

AWS Root Account Does Not Have Access Keys

AWS S3 Bucket Name Has No Periods

AWS S3 Bucket Not Publicly Readable

AWS S3 Bucket Not Publicly Writeable

AWS S3 Bucket Policy Does Not Use Allow With Not Principal

AWS S3 Bucket Policy Enforces Secure Access

AWS S3 Bucket Policy Restricts Allowed Actions

AWS S3 Bucket Policy Restricts Principal

AWS S3 Bucket Has Versioning Enabled

AWS S3 Bucket Has Encryption Enabled

AWS S3 Bucket Lifecycle Configuration Expires Data

AWS S3 Bucket Has Logging Enabled

AWS S3 Bucket Has MFA Delete Enabled

AWS S3 Bucket Has Public Access Block Enabled

AWS Security Group Restricts Ingress On Administrative Ports

AWS VPC Default Security Group Restricts All Traffic

AWS VPC Flow Logging Enabled

AWS WAF Has Correct Rule Ordering

AWS CloudTrail Logs Encrypted Using KMS CMK

Panther API (Beta)

Powered By GitBook

AWS CloudTrail S3 Bucket Has Access Logging Enabled

Risk
Remediation Effort
High
Low
This policy validates that CloudTrail Logs are logging to an S3 bucket where access logging is configured.
Access logs provide an audit trail of all activity to the bucket, and can be used to verify no unauthorized activity has occurred. CloudTrail logs include detailed events of what happens in your AWS environment, and it is a security best practice to monitor who is accessing, modifying, or deleting these logs.
Remediation
To remediate this, enable S3 bucket access logging for the S3 bucket that is failing on this rule.
Using the AWS Console
1. Navigate to the S3 Console.
2. Select the name of the S3 bucket for the relevant CloudTrail to enable S3 bucket access logging.
3. Select the "Properties" tab.
4. Select "Server access logging".
5. Select the "Enable logging" radio button.
6. Choose a destination S3 bucket to log to and a prefix (if desired), then select the "Save" button.
Using the AWS CLI
1. First, permissions must be set on the target S3 bucket to allow the CloudTrail S3 bucket to write its access logs to it. Run the following command:
aws s3api put-bucket-acl --bucket <target_bucket_name> --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery​
2. You must create a logging policy document to put on the S3 bucket. This document dictates where to log, and who can view the logs. Create this document and save it somewhere to be referred to in the next step. See below for an example, which could be stored in a file at for example /tmp/logging.json.
3. Put the newly created logging policy onto the bucket. Run the following command replacing <path_to_policy> with the path to the logging policy created in step 2:
aws s3api put-bucket-logging --bucket <cloudtrail_bucket_name> --bucket-logging-status file://<path_to_policy>
Example logging policy. This is just one example, grantees can be of several forms. See the AWS user documentation for further details.
1
{
2
 "LoggingEnabled": {
3
 "TargetBucket": "<target_bucket>",
4
 "TargetPrefix": "<optional_prefix>/",
5
 "TargetGrants": [
6
 {
7
 "Grantee": {
8
 "DisplayName": "<user_name>",
9
 "ID": "<user_id>",
10
 "Type": "CanonicalUser"
11
 },
12
 "Permission": "FULL_CONTROL"
13
 }
14
 ]
15
 }
16
}
Copied!
References
CIS AWS Benchmark 2.6 "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket"

AWS CloudTrail Has Log Validation Enabled

AWS CloudTrail Logs S3 Bucket Not Publicly Accessible

Last modified 1yr ago

Copy link