CloudWiki
Rules
Medium

Ensure S3 buckets associated with CloudTrail trails are configured with sever access logging

Security & Compliance
APRA
CISAWSF
SOC2
PCI-DSS
GDPR
HIPAA
ISO 27001
NIST4
FedRAMP
FTR
Description

To enhance AWS cloud security audits, it is important to ensure that the S3 buckets associated with your CloudTrail trails (i.e. target buckets) are configured to use the S3 Server Access Logging feature. Since the CloudTrail buckets contain sensitive information, they should be protected from unauthorized access. Enabling server access logging allows you to track any requests made to access the target buckets. This helps in identifying any unauthorized access attempts and investigating any potential security breaches. Furthermore, server access logging can also be used to limit who can alter or delete the access logs. This helps in preventing a user from covering their tracks, which can be useful in maintaining the integrity of the audit trail.

Remediation

Here are the remediation steps to ensure that the S3 buckets associated with CloudTrail trails are configured with server access logging:

  1. Open the Amazon S3 console.
  2. Navigate to the S3 bucket used for storing CloudTrail logs (target bucket).
  3. Click on the "Properties" tab.
  4. Under "Advanced settings," click on "Server access logging."
  5. Click "Enable logging."
  6. Choose the target bucket and prefix for the server access logs.
  7. Click on the "Create a new S3 bucket" link to create a new S3 bucket for storing the access logs, or choose an existing S3 bucket.
  8. Choose the permissions for the access logs S3 bucket, including who can write to and read from the bucket.
  9. Click "Save."

Once you have enabled server access logging, you can review the logs to track access to the CloudTrail logs stored in the target bucket. This allows you to monitor who has accessed the data and identify any unauthorized access attempts. Additionally, you can limit who can alter or delete the access logs to prevent tampering and maintain the integrity of the audit trail.

Enforced Resources
S3 Bucket
CloudTrail
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.