Ensure that your AWS CloudTrail logging bucket has MFA delete enabled

CloudTrail defaults to S3 server-side encryption (SSE) to encrypt log files. It is recommended, in addition, that the S3 buckets for CloudTrail, be configured with MFA Delete. This will prevent deletion of CloudTrail logs without your explicit authorization. It is also recommended to use a bucket policy that places restrictions on which of your identity access management (IAM) users are allowed to delete S3 objects.

Risk Level: Low
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.LOG.16
Covered by Spectral: Yes
Category: Storage

GSL LOGIC

S3Bucket where policy.Statement contain [Principal.Service='cloudtrail.amazonaws.com'] should not have versioning.mfaDelete=false

REMEDIATION

You cannot enable MFA Delete using the AWS Management Console. You must use the AWS Command Line Interface (AWS CLI) or the API.

From Command Line
Run the below command to enable MFA delete on an S3 bucket. You must use your root account to enable MFA Delete on S3 buckets

aws s3api put-bucket-versioning --profile MY_PROFILE --bucket S3_BUCKET_NAME --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa SERIAL_EXAMPLE

--mfa (string): You can use here the concatenation of the authentication device serial number, a space, and the value that is displayed on your authentication device.

References
https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html
https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset