Logo of Trend Micro

CloudTrail Bucket Publicly Accessible

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CT-003

Check for any AWS CloudTrail logging buckets that are publicly accessible, in order to determine if your AWS account could be at risk.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.

Audit

To determine if your CloudTrail logging buckets are publicly accessible, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel: Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone". The grantee called "Everyone" is the AWS S3 predefined group that grants anonymous access. If this grantee has one or more permissions enabled: If this grantee has one or more permissions enabled, the selected S3 bucket is publicly accessible and rendered as insecure.

Using AWS CLI

01 Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region: 

aws cloudtrail describe-trails

02 The command output should expose the name of each S3 bucket used for logging by the AWS CloudTrail:

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run get-bucket-acl command (OSX/Linux/UNIX) to list the selected S3 bucket grantee permissions: 

aws s3api get-bucket-acl
	--bucket cloudtrail-global-logging

04The command output should expose the bucket grantee users and groups permissions. If the grantee group URI is “http://acs.amazonaws.com/groups/global/AllUsers” and it has one or more permissions associated (READ, WRITE, READ_ACP, WRITE_ACP), the selected bucket is publicly accessible and insecure. 

{

    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ_ACP"
        },
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "WRITE_ACP"
        }
    ]
}

Remediation / Resolution

To remove public access to your CloudTrail logging bucket, you need to perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.

03 In the left navigation panel, select Trails.

04 Under Name column, select the trail name that you need to examine.

05 Under S3 section check for the S3 bucket name:

Under S3 section check for the S3 bucket name

used to store log data.

06 Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.

07Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel:

Select the S3 bucket used by the CloudTrail trail, then click the Properties tab from the right panel

08 In the Properties panel, click the Permissions tab and search for any grantee group with the name "Everyone".

09 Uncheck all the permissions granted to "Everyone" predefined group:

Uncheck all the permissions granted to 'Everyone'

or delete the group using the x button from the right:

delete the group using the x button from the right

10 Click Save to save the new ACL (Access Control List) configuration. This removes all public access granted to the selected S3 bucket.

Using AWS CLI

01Run describe-trails command (OSX/Linux/UNIX) to list all CloudTrail trails available in the selected AWS region: 

aws cloudtrail describe-trails

02The command output should expose the name of each S3 bucket used for logging data in CloudTrail: 

{
    "trailList": [
        {
            "IncludeGlobalServiceEvents": true,
            "Name": "MyCloudTrail",
            "TrailARN": "arn:aws:cloudtrail:us-east-1:
                         123456789012:trail/MyCloudTrail",
            "LogFileValidationEnabled": false,
            "IsMultiRegionTrail": true,
            "S3BucketName": "cloudtrail-global-logging",
            "HomeRegion": "us-east-1"
        }
    ]
}

03Run put-bucket-acl command (OSX/Linux/UNIX) to remove all public access granted to the selected S3 bucket: 

aws s3api put-bucket-acl
	--bucket cloudtrail-global-logging
	--acl private

References

Publication date Apr 16, 2016

Related CloudTrail rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

CloudTrail Bucket Publicly Accessible

Risk level: High