Skip to content

You should enable bucket access logging on the CloudTrail S3 bucket.

Default Severity: low

Explanation

Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.

CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.

By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.

Possible Impact

There is no way to determine the access to this bucket

Suggested Resolution

Enable access logging on the bucket

Insecure Example

The following example will fail the aws-cloudtrail-require-bucket-access-logging check. 

resource "aws_cloudtrail" "bad_example" {
   s3_bucket_name = "abcdefgh"
   event_selector {
     read_write_type           = "All"
     include_management_events = true

     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
}

resource "aws_s3_bucket" "good_example" {
    bucket = "abcdefgh"

}

Secure Example

The following example will pass the aws-cloudtrail-require-bucket-access-logging check. 

 resource "aws_cloudtrail" "good_example" {
   is_multi_region_trail = true
   s3_bucket_name = "abcdefgh"

   event_selector {
     read_write_type           = "All"
     include_management_events = true

     data_resource {
       type = "AWS::S3::Object"
       values = ["${data.aws_s3_bucket.important-bucket.arn}/"]
     }
   }
 }

resource "aws_s3_bucket" "good_example" {
    bucket = "abcdefgh"
    logging {
        target_bucket = "target-bucket"
    }
}