Ensure S3 Bucket for CloudTrail Logs is Not Public
This rule ensures that the S3 bucket used for CloudTrail logs is secure by not being publicly accessible.
| Rule | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| Framework | cis_v150 |
| Severity | ✔ Critical |
Rule Description:
The rule "cis_v150" ensures that the Amazon Simple Storage Service (S3) bucket used to store CloudTrail logs is not publicly accessible. It checks for any publicly accessible S3 buckets that are used to store CloudTrail logs, which may expose sensitive information to unauthorized access.
Troubleshooting Steps:
If this rule fails, it indicates that the S3 bucket used for CloudTrail logs is publicly accessible. To troubleshoot and remediate this issue, follow the steps below:
- 1.
Identify the S3 bucket associated with CloudTrail logs that are publicly accessible.
- 2.
Ensure that the bucket policy and access control list (ACL) allow only authorized access to the bucket.
- 3.
Review the existing bucket policy and ACL to identify any misconfigurations or incorrectly granted permissions.
- 4.
Update the bucket policy and ACL to restrict public access and enforce proper access controls.
- 5.
Test the changes by attempting to access the bucket from a non-authorized account or an anonymous user to verify that access is denied.
- 6.
Continuously monitor and audit the S3 bucket to ensure that public access is consistently denied.
Necessary Codes:
If you need to update the bucket policy or ACL, you can use the following code examples as references:
- Bucket Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyPublicAccess", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }
- ACL: Ensure that only authorized users or roles have permissions to access the bucket. Remove any "AllUsers" or "AuthenticatedUsers" entries from the ACL.
Remediation Steps:
Follow these step-by-step instructions to remediate the issue according to the troubleshooting steps provided above:
- 1.
Identify the publicly accessible S3 bucket associated with CloudTrail logs.
- 2.
Open the AWS S3 Management Console.
- 3.
Navigate to the bucket that needs fixing.
- 4.
Review the bucket policy and ACL settings for the identified bucket.
- 5.
Update the bucket policy to deny public access and allow only authorized users or roles. Copy and paste the code example for the bucket policy provided above, making sure to replace "your-bucket-name" with your actual bucket name.
- 6.
Review the ACL settings and remove any "AllUsers" or "AuthenticatedUsers" entries. Ensure that only approved users or roles have access.
- 7.
Save the changes to the bucket policy and ACL settings.
- 8.
Test the bucket access by attempting to access it from a non-authorized account or an anonymous user to verify that access is denied.
- 9.
Monitor the bucket to ensure that public access is consistently denied. Regularly review the bucket policy and ACL settings to prevent accidental exposure of CloudTrail logs.
By following these steps, the S3 bucket used to store CloudTrail logs will be secured and not publicly accessible, mitigating the risk of unauthorized access to sensitive data.