Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.

Risk Level: High
Cloud Entity: CloudTrail
CloudGuard Rule ID: D9.TF.AWS.LOG.07
Covered by Spectral: No
Category: Management Tools


aws_cloudtrail should not have getResource('aws_s3_bucket',s3_bucket_name) contain [acl = 'public-read-write' or acl = 'public-read']


  1. Get the name of the S3 bucket that CloudTrail is logging to aws cloudtrail describe-trails --query trailList[*].S3BucketName 2. Ensure the AllUsers principal is not granted privileges to that <bucket> aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query Grants 3. Ensure the AuthenticatedUsers principal is not granted privileges to that <bucket>aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query Grants 4. Get the S3 Bucket Policy aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail> 5. Ensure the policy does not contain a Statement having an Effect set to Allow and a Principal set to or {AWS }


AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

Compliance Frameworks

  • Terraform AWS CIS Foundations