Rule: S3 Bucket Logging Should Be Enabled
This rule specifies that S3 bucket logging must be enabled to ensure system and information integrity.
| Rule | S3 bucket logging should be enabled |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Low |
Rule: S3 bucket logging for NIST 800-171 Revision 2
This rule mandates enabling S3 bucket logging for compliance with the NIST 800-171 Revision 2 security requirements. S3 bucket logging helps capture detailed information about bucket activity, providing visibility into access attempts and actions taken on objects within the bucket. By ensuring S3 bucket logging is enabled, organizations can effectively monitor and detect unauthorized access attempts, potential security breaches, and compliance violations.
Description:
S3 bucket logging enables the recording of various API calls made against S3 buckets within an AWS account. The generated logs are stored in a separate bucket and can be analyzed using AWS services like Amazon CloudWatch, AWS Glue, or third-party SIEM (Security Information and Event Management) tools. Logging should be continuously enabled for all buckets in compliance with the NIST 800-171 Revision 2 guidelines.
Troubleshooting Steps:
In the event of any issues or errors encountered while enabling S3 bucket logging, follow these troubleshooting steps:
- 1.
Check S3 bucket permissions: Ensure that the appropriate IAM policies and permissions are assigned to the AWS account making the logging configuration changes. The IAM user or role should have the necessary permissions to enable logging on S3 buckets.
- 2.
Verify bucket names: Confirm that the S3 bucket names used for enabling logging are spelled correctly and exist in the AWS account. Typos or incorrect bucket names may cause logging configuration failures.
- 3.
Review bucket policies: Check if there are any bucket policies in place that could interfere with enabling logging. Bucket policies restricting specific API actions or permissions could prevent successful configuration.
- 4.
Check CloudTrail settings: If CloudTrail is enabled, ensure it is configured correctly to capture S3 bucket-related events. Incorrect CloudTrail settings might affect S3 bucket logging functionality.
- 5.
Review Amazon S3 Access Control List (ACL): Verify that the S3 bucket's ACL allows the necessary level of access for the AWS account enabling logging. Ensure appropriate permissions are granted to avoid any potential issues.
Necessary Code:
There is no specific code required to enable S3 bucket logging for NIST 800-171 Revision 2 compliance, as it is a configuration setting within the AWS Management Console or can be applied using AWS CLI commands.
Step-by-Step Guide for Remediation:
To enable S3 bucket logging for NIST 800-171 Revision 2 compliance, follow these step-by-step instructions:
- 1.
Access the AWS Management Console: Login to the AWS Management Console using valid credentials.
- 2.
Navigate to the S3 service: Click on the "Services" dropdown in the top-left corner of the console and select "S3" under the "Storage" category.
- 3.
Select the desired bucket: From the list of available buckets, click on the name of the bucket you want to enable logging for.
- 4.
Open Bucket Properties: Click on the "Properties" tab located at the top of the selected bucket's management page.
- 5.
Enable Logging: Scroll down to the "Server access logging" section and click on the "Edit" button.
- 6.
Select the Target Bucket: In the "Target bucket" field, choose the bucket where you want to store the log files. You can either select an existing bucket or create a new one specifically for the logs.
- 7.
Specify Log File Prefix (optional): (Optional) If desired, you can enter a prefix for the log file names to help organize and categorize logs within the chosen bucket.
- 8.
Save Changes: Click on the "Save changes" button to enable S3 bucket logging.
- 9.
Verify Logging Configuration: After saving the changes, ensure that the logging status for the selected bucket shows "Logging enabled". You can also confirm the log delivery by checking the specified logging bucket for log files.
By following these steps, you will successfully enable S3 bucket logging for NIST 800-171 Revision 2 compliance. Repeat the process for each bucket within the AWS account as required to ensure comprehensive logging coverage.