lacework-global-81
3.11 Ensure that Object-level logging for read events is enabled for S3 bucket (Automated)
Profile Applicability
• Level 2
Description
S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
Rationale
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.
Audit
From Console
- Login to the AWS Management Console and navigate to S3 dashboard at
https://console.aws.amazon.com/s3/
- In the left navigation panel, click
buckets
and then click on the S3 Bucket Name that you want to examine. - Click
Properties
tab to see in detail bucket configuration. - If the current status for
Object-level
logging is set toDisabled
, then object-level logging of read events for the selected s3 bucket is not set. - If the current status for
Object-level
logging is set toEnabled
, but the Read event check-box is unchecked, then object-level logging of read events for the selected s3 bucket is not set. - Repeat steps 2 to 5 to verify
object-level
logging forread
events of your other S3 buckets.
From Command Line
- Run
describe-trails
command to list the names of all Amazon CloudTrail trails currently available in the selected AWS region:
aws cloudtrail describe-trails --region <region-name> --output table --query trailList[*].Name
- The command output will be table of the requested trail names.
- Run
get-event-selectors
command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3 bucket resources:
aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]
- The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.
- If the
get-event-selectors
command returns an empty array, the Data events are not included into the selected AWS CloudTrail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded. - Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.
- Change the AWS region by updating the
--region
command parameter and perform the audit process for other regions.
Remediation
From Console
- Login to the AWS Management Console and navigate to S3 dashboard at
https://console.aws.amazon.com/s3/
- In the left navigation panel, click
buckets
and then click on the S3 Bucket Name that you want to examine. - Click
Properties
tab to see in detail bucket configuration. - Click on the
Object-level
logging setting, enter the CloudTrail name for the recording activity. You can choose an existing CloudTrail or create a new one by navigating to the CloudTrail console linkhttps://console.aws.amazon.com/cloudtrail/
- Once the CloudTrail is selected, check the Read event checkbox, so that
object-level
logging forRead
events is enabled. - Repeat steps 2 to 5 to enable
object-level
logging of read events for other S3 buckets.
From Command Line
- To enable
object-level
data events logging for S3 buckets within your AWS account, runput-event-selectors
command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
- The command output will be
object-level
event trail configuration. - If you want to enable it for all buckets at ones then change Values parameter to
["arn:aws:s3"]
in command given above. - Repeat step 1 for each s3 bucket to update
object-level
logging of read events. - Change the AWS region by updating the
--region
command parameter and perform the process for other regions.
References
https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html