Configure Different S3 Bucket for Server Access Logging Storage

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Properties tab from the console menu to access the bucket properties.

05 In the Server access logging section, make sure that the Server access logging attribute value is set to Enabled , then choose Edit to access theS3 Server Access Logging configuration.

06 Check the name of the S3 bucket defined in the Target bucket configuration box. If the name of the target bucket is the same as the source bucket selected at step no 3, the Amazon S3 Server Access Logging feature is configured to use the same S3 bucket for both the source bucket and the target bucket, therefore the feature configuration is not compliant.

07 Repeat steps no. 3 – 6 to verify the S3 Server Access Logging feature configuration for other Amazon S3 buckets available within your AWS cloud account.

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available within your AWS cloud account:

aws s3api list-buckets 
  --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
	"cc-project5-appdata",
	"cc-internal-appdata"
]

03 Run get-bucket-logging command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter and custom query filters to describe the name of the target bucket configured for the selected S3 bucket:

aws s3api get-bucket-logging 
  --bucket cc-project5-appdata 
  --query 'LoggingEnabled.TargetBucket'

04 The command output should return the name of the associated target bucket:

"cc-project5-appdata"

05 Repeat steps no. 3 and 4 to check the S3 Server Access Logging feature configuration for other Amazon S3 buckets available within your AWS cloud account.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure Different S3 Bucket for Server Access Logging Storage",
	"Resources": {
		"LogS3Bucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-project5-appdata",
				"AccessControl": "Private",
				"LoggingConfiguration": {
					"DestinationBucketName": {
						"Ref": "LogTargetBucket"
					},
					"LogFilePrefix": "s3-access-logs/"
				}
			}
		},
		"LogTargetBucket": {
			"Type": "AWS::S3::Bucket",
			"Properties": {
				"BucketName": "cc-project5-access-logs",
				"AccessControl": "LogDeliveryWrite"
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure Different S3 Bucket for Server Access Logging Storage
	Resources:
	LogS3Bucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-project5-appdata
		AccessControl: Private
		LoggingConfiguration:
			DestinationBucketName: !Ref 'LogTargetBucket'
			LogFilePrefix: s3-access-logs/
	LogTargetBucket:
		Type: AWS::S3::Bucket
		Properties:
		BucketName: cc-project5-access-logs
		AccessControl: LogDeliveryWrite

01 Terraform configuration file (.tf):

	terraform {
		required_providers {
			aws = {
				source  = "hashicorp/aws"
				version = "~> 3.27"
			}
		}

		required_version = ">= 0.14.9"
	}

	provider "aws" {
		profile = "default"
		region  = "us-east-1"
	}

	resource "aws_s3_bucket" "log-target-bucket" {
		bucket = "cc-project5-access-logs"
		acl = "log-delivery-write"
	}

	resource "aws_s3_bucket" "logged-s3-bucket" {
		bucket = "cc-project5-appdata"
		acl = "private"

		logging {
			target_bucket = aws_s3_bucket.log-target-bucket.id
			target_prefix = "s3-access-logs/"
		}
	}

01 Sign in to AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.

04 On the Create bucket setup page, perform the following operations:

1. For General configuration :
   • Provide a unique name for your new S3 bucket in the Bucket name box.
   • From the AWS Region dropdown list, select the AWS cloud region where the new S3 bucket will be created (must match the source bucket region).
2. For Block Public Access settings for bucket , select Block all public access to ensure that all public access to this bucket and its objects is blocked. For more details about this feature, see this conformity rule.
3. For Bucket Versioning , choose whether to enable bucket versioning for the new bucket.
4. (Optional) For Tags , use the Add tag button to create and apply user-defined tags to the S3 bucket. You can track storage cost and other criteria by tagging your bucket.
5. For Default encryption , select Enable under Server-side encryption , and choose one of the encryption key types available, based on your requirements. For more details about Amazon S3 Server-Side Encryption (SSE), see this conformity rule.
6. For Advanced settings , choose whether or not to enable Object Lock feature. For more details about Amazon S3 Object Lock, see this conformity rule.
7. Choose Create bucket to create your new Amazon S3 bucket.

05 Click on the name of the newly created Amazon S3 bucket.

06 Select the Permissions tab from the console menu to access the bucket permissions.

07 In the Access control list (ACL) section, choose Edit to modify the Access Control List (ACL) configuration for the new S3 bucket.

08 Under Access control list (ACL), select the Write permission checkbox available next to the S3 log delivery group grantee in the Objects column, to grant Amazon S3 Log Delivery Group the permission to write on the new target bucket. Select I understand the effects of these changes on my objects and buckets checkbox for confirmation, then choose Save changes to apply the changes.

09 Return to the Buckets listing page and click on the name of the source bucket that you want to reconfigure (see Audit section part I to identify the right S3 resource).

10 Select the Properties tab from the console menu to access the bucket properties.

11 In the Server access logging section, choose Edit to modify the feature configuration.

12 On the Edit server access logging page, perform the following actions:

1. For Target bucket , choose Browse S3 and select the name of the target bucket created and configured at the previous steps. (Optional) If required, you can add a prefix to your target bucket.
2. Choose Save changes to apply the configuration changes.

13 Repeat steps no. 3 – 12 for each Amazon S3 bucket that you want to configure with a different target bucket, available in your AWS cloud account.

01 Run create-bucket command (OSX/Linux/UNIX) to create the target bucket required for the Amazon S3 Server Access Logging feature storage:

aws s3api create-bucket 
  --bucket cc-project5-access-logs 
  --region us-east-1 
  --acl private

02 The command output should return the name of the newly created S3 bucket:

{
	"Location": "/cc-project5-access-logs"
}

03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block 
  --region us-east-1 
  --bucket cc-project5-access-logs 
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

04 Run put-bucket-acl command (OSX/Linux/UNIX) to give the Amazon S3 Log Delivery Group WRITE and READ_ACP permissions to the new target bucket (the command should not return an output):

aws s3api put-bucket-acl 
  --bucket cc-project5-access-logs 
  --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery 
  --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

05 Define the required access policy and specify the necessary permissions for who can view and modify the S3 Server Access Logging feature parameters. Paste the following policy document to a JSON file named **server-access-logging-config.json** and replace the configuration details (bucket name, prefix, and grantee) with your own details. In the following policy example, the user will have full control over the log files, and no one else has access:

{
	"LoggingEnabled": {
		"TargetBucket": "cc-project5-access-logs",
		"TargetPrefix": "s3-access-logs/",
		"TargetGrants": [
		{
			"Grantee": {
				"Type": "AmazonCustomerByEmail",
				"EmailAddress": "admin@trendmicro.com"
			},
			"Permission": "FULL_CONTROL"
		}
		]
	}
}

06 Run put-bucket-logging command (OSX/Linux/UNIX) using the name of the source bucket that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right S3 resource) and the logging policy defined at the previous step (i.e. server-access-logging-config.json), to update the S3 Server Access Logging feature configuration for the specified S3 bucket (if successful, the command should not return an output):

aws s3api put-bucket-logging 
  --bucket cc-project5-appdata 
  --bucket-logging-status file://server-access-logging-config.json

07 Repeat steps no. 1 – 6 for each Amazon S3 bucket that you want to configure with a different target bucket, available within your AWS cloud account.