Ensure the S3 Bucket CloudTrail Logs to Is Not Publicly Accessible Rule
This rule ensures that the S3 bucket used for CloudTrail logs is not publicly accessible.
| Rule | Ensure the S3 bucket CloudTrail logs to is not publicly accessible |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ Low |
Rule Description:
This rule is designed to ensure compliance with the General Data Protection Regulation (GDPR) by preventing public access to the S3 bucket where CloudTrail logs are stored. The GDPR mandates that personal data of individuals in the European Union must be kept secure and not be accessible to unauthorized parties.
Troubleshooting Steps:
If the S3 bucket where CloudTrail logs are stored is found to be publicly accessible, follow these steps to remediate the issue:
- 1.
Determine the current public access configuration of the S3 bucket by checking the bucket policies and access control lists (ACLs).
- 2.
Review the IAM policies for users and roles that have access to modify the bucket policies or permissions.
- 3.
Check if any existing bucket policies or ACLs allow public access.
- 4.
Identify the source of the public access, such as an improperly configured bucket policy, an overly permissive IAM policy, or an accidental public ACL.
- 5.
Determine the necessary changes to remove public access and maintain compliance with GDPR.
- 6.
Apply the required changes to the bucket policies, ACLs, or IAM policies to revoke public access.
- 7.
Conduct thorough testing to ensure the changes have taken effect and that the S3 bucket is no longer publicly accessible.
Necessary Code:
If the bucket policy needs to be modified to restrict public access, use the following example code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Replace "your-bucket-name" with the actual name of your S3 bucket. This policy denies the
GetObjectRemediation Steps:
To remediate the issue of a publicly accessible S3 bucket, follow these step-by-step instructions:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the S3 service.
- 3.
Select the S3 bucket where CloudTrail logs are stored.
- 4.
Review the bucket policies by clicking on the "Permissions" tab and then selecting the "Bucket Policy" option.
- 5.
Ensure that the bucket policy does not allow public access. If there is an existing policy allowing public access, edit the policy and modify it to deny public access.
- 6.
Update the bucket policy with the necessary changes to restrict public access (you can use the provided code snippet as a reference).
- 7.
Save the updated bucket policy.
- 8.
Check the access control lists (ACLs) for the bucket by clicking on the "Permissions" tab and selecting the "Access Control List" option.
- 9.
Ensure that the ACLs do not grant public access. If there are any public ACLs, modify them to restrict public access.
- 10.
Save the changes to the ACLs.
- 11.
Conduct thorough testing to verify that the S3 bucket is no longer publicly accessible.
- 12.
Monitor the bucket's settings periodically to ensure that public access is not inadvertently granted in the future.
By following these steps, you can ensure compliance with GDPR regulations by preventing unauthorized public access to the S3 bucket where CloudTrail logs are stored.