Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Different S3 Bucket for Server Access Logging Storage

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Ensure that Amazon S3 Server Access Logging feature is not configured to use the same S3 bucket for both the source bucket – the S3 bucket where you have access logging enabled, and the target bucket – the bucket where you want the access logs to be saved. For easy and efficient log management, Trend Cloud One™ – Conformity strongly recommends saving access logs in a different S3 bucket.

Cost
optimisation
Performance
efficiency

When your source bucket and target bucket are the same S3 bucket, additional logs are created for the logs that are written to the bucket by the Server Access Logging feature. This behavior is not ideal for most use cases because it can lead to an increase in your Amazon S3 storage costs. In addition, saving the extra logs generated for the S3 access logs in the same location, might make it harder to find the log files that you're looking for.


Audit

To determine if Amazon S3 Server Access Logging feature is configured to use the same S3 bucket for the source and target bucket, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, make sure that the Server access logging attribute value is set to Enabled , then choose Edit to access theS3 Server Access Logging configuration.

06 Check the name of the S3 bucket defined in the Target bucket configuration box. If the name of the target bucket is the same as the source bucket selected at step no 3, the Amazon S3 Server Access Logging feature is configured to use the same S3 bucket for both the source bucket and the target bucket, therefore the feature configuration is not compliant.

07 Repeat steps no. 3 – 6 to verify the S3 Server Access Logging feature configuration for other Amazon S3 buckets available within your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available within your AWS cloud account:

aws s3api list-buckets
  --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
	"cc-project5-appdata",
	"cc-internal-appdata"
]

03 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the name of the target bucket configured for the selected S3 bucket:

aws s3api get-bucket-logging
  --bucket cc-project5-appdata
  --query 'LoggingEnabled.TargetBucket'

04 The command output should return the name of the associated target bucket:

"cc-project5-appdata"

If the get-bucket-logging command does not produce an output, the S3 Server Access Logging feature is not enabled for the selected bucket. If the name of the target bucket is the same as the source bucket selected at step no. 3, as shown in the example above, the Amazon S3 Server Access Logging feature is configured to use the same S3 bucket for both the source bucket and the target bucket, therefore the feature configuration is not compliant.

05 Repeat steps no. 3 and 4 to check the S3 Server Access Logging feature configuration for other Amazon S3 buckets available within your AWS cloud account.

Remediation/Resolution

To configure a different bucket as target bucket for the Amazon S3 Server Access Logging feature storage, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Different S3 Bucket for Server Access Logging Storage",
	"Resources": {
		"LogS3Bucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-project5-appdata",
				"AccessControl": "Private",
				"LoggingConfiguration": {
					"DestinationBucketName": {
						"Ref": "LogTargetBucket"
					},
					"LogFilePrefix": "s3-access-logs/"
				}
			}
		},
		"LogTargetBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-project5-access-logs",
				"AccessControl": "LogDeliveryWrite"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Different S3 Bucket for Server Access Logging Storage
	Resources:
	LogS3Bucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-project5-appdata
		AccessControl: Private
		LoggingConfiguration:
			DestinationBucketName: !Ref 'LogTargetBucket'
			LogFilePrefix: s3-access-logs/
	LogTargetBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-project5-access-logs
		AccessControl: LogDeliveryWrite

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 3.27"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_s3_bucket" "log-target-bucket" {
		bucket = "cc-project5-access-logs"
		acl = "log-delivery-write"
	}

	resource "aws_s3_bucket" "logged-s3-bucket" {
		bucket = "cc-project5-appdata"
		acl = "private"

		logging {
			target_bucket = aws_s3_bucket.log-target-bucket.id
			target_prefix = "s3-access-logs/"
		}
	}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.

04 On the Create bucket setup page, perform the following operations:

  1. For General configuration :
    • Provide a unique name for your new S3 bucket in the Bucket name box.
    • From the AWS Region dropdown list, select the AWS cloud region where the new S3 bucket will be created (must match the source bucket region).
  2. For Block Public Access settings for bucket , select Block all public access to ensure that all public access to this bucket and its objects is blocked. For more details about this feature, see this conformity rule.
  3. For Bucket Versioning , choose whether to enable bucket versioning for the new bucket.
  4. (Optional) For Tags , use the Add tag button to create and apply user-defined tags to the S3 bucket. You can track storage cost and other criteria by tagging your bucket.
  5. For Default encryption , select Enable under Server-side encryption , and choose one of the encryption key types available, based on your requirements. For more details about Amazon S3 Server-Side Encryption (SSE), see this conformity rule.
  6. For Advanced settings , choose whether or not to enable Object Lock feature. For more details about Amazon S3 Object Lock, see this conformity rule.
  7. Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created Amazon S3 bucket.

06 Select the Permissions tab from the console menu to access the bucket permissions.

07 In the Access control list (ACL) section, choose Edit to modify the Access Control List (ACL) configuration for the new S3 bucket.

08 Under Access control list (ACL), select the Write permission checkbox available next to the S3 log delivery group grantee in the Objects column, to grant Amazon S3 Log Delivery Group the permission to write on the new target bucket. Select I understand the effects of these changes on my objects and buckets checkbox for confirmation, then choose Save changes to apply the changes.

09 Return to the Buckets listing page and click on the name of the source bucket that you want to reconfigure (see Audit section part I to identify the right S3 resource).

10 Select the Properties tab from the console menu to access the bucket properties.

11 In the Server access logging section, choose Edit to modify the feature configuration.

12 On the Edit server access logging page, perform the following actions:

  1. For Target bucket , choose Browse S3 and select the name of the target bucket created and configured at the previous steps. (Optional) If required, you can add a prefix to your target bucket.
  2. Choose Save changes to apply the configuration changes.

13 Repeat steps no. 3 – 12 for each Amazon S3 bucket that you want to configure with a different target bucket, available in your AWS cloud account.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the target bucket required for the Amazon S3 Server Access Logging feature storage:

aws s3api create-bucket
  --bucket cc-project5-access-logs
  --region us-east-1
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
	"Location": "/cc-project5-access-logs"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-project5-access-logs
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Run put-bucket-acl command (OSX/Linux/UNIX) to give the Amazon S3 Log Delivery Group WRITE and READ_ACP permissions to the new target bucket (the command should not return an output):

aws s3api put-bucket-acl
  --bucket cc-project5-access-logs
  --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery
  --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

05 Define the required access policy and specify the necessary permissions for who can view and modify the S3 Server Access Logging feature parameters. Paste the following policy document to a JSON file named **server-access-logging-config.json** and replace the configuration details (bucket name, prefix, and grantee) with your own details. In the following policy example, the user will have full control over the log files, and no one else has access:

{
	"LoggingEnabled": {
		"TargetBucket": "cc-project5-access-logs",
		"TargetPrefix": "s3-access-logs/",
		"TargetGrants": [
		{
			"Grantee": {
				"Type": "AmazonCustomerByEmail",
				"EmailAddress": "admin@trendmicro.com"
			},
			"Permission": "FULL_CONTROL"
		}
		]
	}
}

06 Run put-bucket-logging command (OSX/Linux/UNIX) using the name of the source bucket that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right S3 resource) and the logging policy defined at the previous step (i.e. server-access-logging-config.json), to update the S3 Server Access Logging feature configuration for the specified S3 bucket (if successful, the command should not return an output):

aws s3api put-bucket-logging
  --bucket cc-project5-appdata
  --bucket-logging-status file://server-access-logging-config.json

07 Repeat steps no. 1 – 6 for each Amazon S3 bucket that you want to configure with a different target bucket, available within your AWS cloud account.

References

Publication date Sep 5, 2023