Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

S3 Bucket Logging Enabled

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieve)
Rule ID: S3-011

Ensure that Server Access Logging feature is enabled for your Amazon S3 buckets in order to track access requests useful for security and access audits. By default, Server Access Logging is not enabled for S3 buckets.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The Server Access Logging feature provides detailed records for the requests that are made to your Amazon S3 buckets. The log data includes the request type, the resources that are specified in the request, and the time and date that the request was processed. Once enabled, the feature can provide useful data for security and compliance audits, and can help you learn about your user base and understand your Amazon S3 bill.

Audit

To determine if Server Access Logging is enabled for your S3 buckets, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, check the Server access logging configuration attribute value. If the attribute value is set to Disabled, the Server Access Logging feature is not enabled for the selected Amazon S3 bucket.

06 Repeat steps no. 3 – 5 to determine the Server Access Logging feature status for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account: 

aws s3api list-buckets
	--query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names: 

[
    "cc-prod-web-data",
    "cc-project5-logs"
]

03 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the Server Access Logging feature configuration available for the selected S3 bucket: 

aws s3api get-bucket-logging
  --bucket cc-prod-web-data
  --query 'LoggingEnabled'

04 The command output should return the requested configuration information: 

null

If the get-bucket-logging command output returns null, as shown in the example above, the Server Access Logging feature is not enabled for the selected Amazon S3 bucket.

05 Repeat steps no. 3 and 4 to determine the Server Access Logging feature status for other Amazon S3 buckets available in your AWS cloud account.

Remediation / Resolution

To enable the Server Access Logging feature for your existing Amazon S3 buckets, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Enable S3 Server Access Logging",
    "Resources": {
        "LogS3Bucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "BucketName": "cc-prod-web-data",
                "AccessControl": "Private",
                "LoggingConfiguration": {
                    "DestinationBucketName": {
                        "Ref": "LogTargetBucket"
                    },
                    "LogFilePrefix": "server-access-logs"
                }
            }
        },
        "LogTargetBucket": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "BucketName": "cc-target-bucket",
                "AccessControl": "LogDeliveryWrite"
            }
        }
    }
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3 Server Access Logging
Resources:
  LogS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: cc-prod-web-data
      AccessControl: Private
      LoggingConfiguration:
        DestinationBucketName:
          Ref: LogTargetBucket
        LogFilePrefix: server-access-logs
  LogTargetBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: cc-target-bucket
      AccessControl: LogDeliveryWrite

Using Terraform

01 Terraform configuration file (.tf): 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region  = "us-east-1"
}

resource "aws_s3_bucket" "log-target-bucket" {
  bucket = "cc-target-bucket"
  acl = "log-delivery-write"
}

resource "aws_s3_bucket" "logged-bucket" {
  bucket = "cc-prod-web-data"
  acl = "private"

  logging {
    target_bucket = aws_s3_bucket.log-target-bucket.id
    target_prefix = "server-access-logs/"
  }
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, choose Edit to modify the feature configuration.

06 On the Edit server access logging page, perform the following actions:

  1. Choose Enable under Server access logging to enable the Server Access Logging feature for the selected Amazon S3 bucket.
  2. For Target bucket, choose Browse S3 and select the name of the destination bucket and folder for the access logs. You can use the same bucket for logs storage, however, when your source bucket and destination (target) bucket are the same, additional logs are created for the logs that are written to the bucket. These extra logs can increase your storage billing and make it harder to find the logs that you're looking for.
  3. Choose Save changes to apply the configuration changes. Once the feature is enabled, Amazon S3 console will automatically update your bucket access control list (ACL) to include access to the S3 log delivery group.

07 Repeat steps no. 3 – 6 to enable Server Access Logging feature for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Run put-bucket-acl command (OSX/Linux/UNIX) to give the S3 log delivery group WRITE and READ_ACP permissions to the destination (target) bucket (the command should not return an output): 

aws s3api put-bucket-acl
  --bucket cc-access-logs-bucket
  --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
  --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

02 Define the required access policy and specify the necessary permissions for who can view and modify the Server Access Logging parameters. Paste the following policy document to a JSON file named server-access-logging-config.json and replace the configuration details (bucket name, prefix, and grantee) with your own details. In the following policy example, the AWS user admin@cloudconformity.com will have full control over the log files, and no one else has access: 

{
  "LoggingEnabled": {
    "TargetBucket": "cc-access-logs-bucket",
    "TargetPrefix": "s3-server-logs/",
    "TargetGrants": [
      {
        "Grantee": {
          "Type": "AmazonCustomerByEmail",
          "EmailAddress": "admin@cloudconformity.com"
        },
        "Permission": "FULL_CONTROL"
      }
    ]
  }
}

03 Run put-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to reconfigure as the identifier parameter and the logging policy defined at the previous step, to enable the Server Access Logging feature for the specified S3 bucket (if successful, the command should not return an output): 

aws s3api put-bucket-logging
  --bucket cc-prod-web-data
  --bucket-logging-status file://server-access-logging-config.json

04 Repeat steps no. 1 – 3 to enable Server Access Logging feature for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date May 10, 2016

Related S3 rules