Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible without a condition
Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.08
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should not have ( acl.grants contain [uri like 'http://acs.amazonaws.com/groups/global/%'] or policy.Statement with [Effect='Allow' and (Principal='*' or Principal.AWS='*') and Condition isEmpty()])REMEDIATION
From Portal
Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy:
- Go to Amazon S3 console at https://console.aws.amazon.com/s3/home
- Click on the bucket used to store CloudTrail logs and select Permissions tab.
- Ensure block public access is enabled for that bucket.
- Then go to Access Control list, it shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
- Select the row that grants permission to Everyone or Any Authenticated User
- Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
- Click Save to save the ACL.
- If the Edit bucket policy button is present, click it.
- Remove any Statement having an Effect set to Allow and a Principal set to '*' or
{'AWS' : '*'}.
From TF
Add a policy document with required permissions and appropriate condition as needed as follows:
data "aws_iam_policy_document" "example" {
...
statement {
effect = "Allow"
actions = [
REQUIRED_ACTIONS
]
principals {
REQUIRED_PRINCIPALS
}
resources = [
"S3_BUCKET_ARN",
]
condition {
test = TEST
variable = CONTEXT_VARIABLE
values = [
VALUES
]
}
}
...
}From Command Line
To add a policy with required permissions and appropriate condition as needed, run:
aws s3api put-bucket-policy --bucket BUCKET_NAME --policy file://policy.jsonReferences
- https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
- https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere - web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.
Compliance Frameworks
- AWS CCPA Framework
- AWS CIS Controls V 8
- AWS CIS Foundations v. 1.0.0
- AWS CIS Foundations v. 1.1.0
- AWS CIS Foundations v. 1.2.0
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated 7 months ago