Ensure that Object-level logging for read events is enabled for S3 bucket

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events.Object-level logging is managed by Cloudtrail hence this rule will show results of cloudtrail entity.By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.

Risk Level: Low
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.AWS.LOG.24
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

CloudTrail should have (eventSelectors contain [ dataResources contain [type like 'AWS::S3::Object' ] ]) and (eventSelectors contain [ readWriteType = 'ReadOnly' or readWriteType = 'All'])

REMEDIATION

From Portal

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. Click on the Object-level logging setting, enter the CloudTrail name for the recording activity. You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link https://console.aws.amazon.com/cloudtrail/
  5. Once the Cloudtrail is selected, check the Read event checkbox, so that object-level logging for Read events is enabled.
  6. Repeat steps 2 to 5 to enable object-level logging of read events for other S3 buckets.

From Command Line

  1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region REGION_NAME --trail-name TRAIL_NAME --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::S3-BUKCET-NAME/"] }] }]'
  1. The command output will be object-level event trail configuration.
  2. If you want to enable it for all buckets at once then change Values parameter to ["arn:aws:s3"] in command given above.
  3. Repeat step 1 for each s3 bucket to update object-level logging of read events.
  4. Change the AWS region by updating the --region command parameter and perform the process for other regions.

From CFT

  1. Use the resource AWS::CloudTrail::Trail and in the template make sure to set below values to respective arguments.
    The property ReadWriteType should set to either 'ReadOnly' or 'All'.
Resources:
Trail:
Type: AWS::CloudTrail::Trail
Properties:
...
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- arn:aws:s3:::BUCKET/
IncludeManagementEvents: true
ReadWriteType: ReadOnly
...

From TF

  1. Use the resource 'aws_cloudtrail' and in the template make sure to set below values to respective arguments.
    The property read_write_type should set to either 'ReadOnly' or 'All'.
resource "aws_cloudtrail" "example" {
	...
	event_selector {
		read_write_type           = "ReadOnly"
		include_management_events = true
		
		data_resource {
			type   = "AWS::S3::Object"
			values = ["arn:aws:s3:::BUCKET/"]
		}
	}
	...
}

References

  1. https://workbench.cisecurity.org/sections/615824/recommendations/1009551
  2. https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail

CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset