Check for any AWS CloudTrail logging buckets that are publicly accessible, in order to determine if your AWS account could be at risk.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.
Audit
To determine if your CloudTrail logging buckets are publicly accessible, perform the following:
Remediation / Resolution
To remove public access to your CloudTrail logging bucket, you need to perform the following:
References
- AWS Documentation
- How AWS CloudTrail Works
- CloudTrail Concepts
- Amazon S3 Bucket Policy for CloudTrail
- Managing Access Permissions to Your Amazon S3 Resources
- Access Control List (ACL) Overview
- Editing Bucket Permissions
- AWS Command Line Interface (CLI) Documentation
- get-bucket-acl
- describe-trails
- put-bucket-acl
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
CloudTrail Bucket Publicly Accessible
Risk level: High