S3 bucket CloudTrail logs ACL should not allow public access
CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that access control list (ACL) applied to the S3 bucket that holds CloudTrail logs prevents public access
Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.10
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should not have ( acl.grants contain [uri like 'http://acs.amazonaws.com/groups/global/%'] )
REMEDIATION
From Portal
- Navigate to S3.
- Click the target S3 bucket.
- Select the Permissions tab.
- Click Access Control List.
- In Public access, ensure no rows exist that have the Grantee set to Everyone or the Grantee set to Any Authenticated User.
- Click Save.
- Select the Bucket Policy tab.
- Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to or (AWS : )
Note: Principal set to or (AWS : ) allows anonymous access.
From TF
resource "aws_s3_bucket" "example" {
acl = "example1"
put other required fields here
}
Note: Ensure that terraform resource does not contain acl field value as public-read or public-read-write.
From Command Line
- Use below command to ensure the AllUsers principal privileges is not granted to that bucket:
aws s3api get-bucket-acl --bucket S3_BUCKET_NAME --query 'Grants[?Grantee.URI== `http://acs.amazonaws.com/groups/global/AllUsers`]'
```bash Terminal
2. Ensure the AuthenticatedUsers principal privileges is not granted to that bucket:
aws s3api get-bucket-acl --bucket S3_BUCKET_NAME --query 'Grants[?Grantee.URI== http://acs.amazonaws.com/groups/global/Authenticated Users
]'
3. Use following command to get the S3 Bucket Policy:
aws s3api get-bucket-policy --bucket S3_BUCKET_NAME
4. Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to * or (AWS : *)
**References**
1. https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html
2. https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html#description
3. https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/index.html#cli-aws-cloudtrail
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail
## Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
## Compliance Frameworks
- AWS CCPA Framework
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago