CloudWiki
Rules
Critical

Ensure the S3 bucket for CloudTrail logs is not publicly accessible

Security & Compliance
Description

If the permissions for your CloudTrail trail buckets are too permissive or insecure, this could result in malicious users gaining access to your logging data, significantly increasing the risk of unauthorized access. As an illustration, this conformity rule provides a method for identifying CloudTrail buckets that allow public access through Access Control Lists (ACLs). It is important to note that public access can also be granted through bucket policies. To ensure the security of your AWS cloud account, it is recommended that you check for publicly accessible CloudTrail trail log buckets (i.e., target buckets). This can help you identify potential security risks and take steps to mitigate them.

Remediation

To remediate publicly accessible CloudTrail trail log buckets, you can follow these steps:

  1. Log in to the AWS Management Console and navigate to the Amazon S3 console.
  2. Identify the CloudTrail bucket that is publicly accessible.
  3. Select the bucket and click on the "Permissions" tab.
  4. Under the "Access control list" section, remove any entries that grant public access to the bucket.
  5. Under the "Bucket policy" section, review and modify the policy to ensure that public access is not granted.
  6. If necessary, modify the bucket policy to restrict access to specific IP ranges or AWS accounts.
  7. Click on the "Save" button to apply the changes.

After following these steps, the CloudTrail trail log bucket should no longer be publicly accessible, and access to the bucket will be restricted to authorized users and services. It is recommended to periodically review the bucket permissions and policies to ensure that public access is not inadvertently granted. Additionally, you can enable logging and monitoring for the CloudTrail trail log bucket to detect any unauthorized access attempts.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.