Skip to content

enable-bucket-logging

Default Severity: medium

Explanation

Buckets should have logging enabled so that access can be audited.

Possible Impact

There is no way to determine the access to this bucket

Suggested Resolution

Add a logging block to the resource to enable access logging

Insecure Example

The following example will fail the aws-s3-enable-bucket-logging check.

resource "aws_s3_bucket" "bad_example" {

}

Secure Example

The following example will pass the aws-s3-enable-bucket-logging check.

resource "aws_s3_bucket" "good_example" {
    logging {
        target_bucket = "target-bucket"
    }
}