Ensure S3 Bucket for CloudTrail Logs Not Publicly Accessible Rule
This rule ensures that the S3 bucket used for storing CloudTrail logs is not publicly accessible.
| Rule | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| Framework | cis_v130 |
| Severity | ✔ Critical |
Ensure the S3 Bucket Used to Store CloudTrail Logs is Not Publicly Accessible (CIS v1.3.0 Compliance)
The AWS CloudTrail service provides a record of actions taken by a user, role, or an AWS service. CloudTrail logs are a critical component of security and governance best practices. To ensure the protection of this sensitive information, it is vital to ensure that the S3 bucket used for storing CloudTrail logs is not publicly accessible.
AWS Compliance Requirement
The Center for Internet Security (CIS) AWS Foundations Benchmark version 1.3.0 requires that S3 buckets used for storing CloudTrail logs must not be publicly accessible. This is to reduce the risk of unauthorized data exposure.
Troubleshooting Steps
If you suspect that your S3 bucket may be publicly accessible, perform the following checks:
Review Bucket Policy
- 1.Sign in to the AWS Management Console.
- 2.Go to the Amazon S3 console.
- 3.Find the bucket used to store CloudTrail logs.
- 4.Check the bucket policy to ensure there are no statements allowing public access ('Principal' set to '*').
Inspect the Access Control List (ACL)
- 1.While in the Amazon S3 console, select the bucket.
- 2.Click on the Permissions tab.
- 3.Review the Access Control List (ACL) to ensure that the public access is not granted.
Verify Bucket Public Access Settings
- 1.On the Permissions tab, check the "Block public access" settings.
- 2.Ensure that "Block all public access" is turned On.
Check CloudTrail Configuration
- 1.Go to the CloudTrail console.
- 2.Select Trails and then click on the trail that writes to your S3 bucket.
- 3.Verify that the S3 bucket listed does not allow public access.
Remediation Steps
If you find that your S3 bucket is publicly accessible, follow these steps to remedy the situation:
Modify Bucket Policy to Restrict Public Access
- 1.Go to the Amazon S3 console and select the bucket.
- 2.Click on the Permissions tab and then click Bucket Policy.
- 3.Modify the policy to remove statements that allow public access. Ensure that only trusted accounts have access to the bucket.
CLI command to remove a public access policy (replace 'YOUR-BUCKET-NAME' with your actual bucket name):
aws s3api put-bucket-policy --bucket YOUR-BUCKET-NAME --policy "{}"
Update the Access Control List (ACL)
- 1.In the Permissions tab for your S3 bucket, under "Access control list (ACL)", click on "Edit".
- 2.Remove any grants that provide public read or write access.
Adjust Block Public Access Settings
- 1.In the Permissions tab, click on "Block public access".
- 2.Enable "Block all public access".
CLI command to block all public access:
aws s3api put-public-access-block \ --bucket YOUR-BUCKET-NAME \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
Confirm the Changes
- 1.After making these changes, repeat the checks outlined in the troubleshooting steps to confirm that public access has been effectively blocked.
By following these steps, you can ensure that your S3 bucket used for storing CloudTrail logs is not publicly accessible, maintaining compliance with the CIS AWS Foundations Benchmark v1.3.0.