Skip to main content

lacework-global-80

3.10 Enable Object-level logging for write events on S3 buckets (Automated)

Profile Applicability

• Level 2

Description

S3 object-level API operations such as GetObject, DeleteObject, and PutObject are data events. By default, CloudTrail trails do not log data events. Best practices recommend enabling Object-level logging for S3 buckets.

Rationale

Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events.

Audit

From Console

  1. Login to the AWS Management Console and navigate to S3 dashboard at https://console.aws.amazon.com/s3/
  2. In the left navigation panel, click buckets and then click on the S3 Bucket Name that you want to examine.
  3. Click Properties tab to see in detail bucket configuration.
  4. If the current status for Object-level logging is set to Disabled, then object-level logging of write events for the selected s3 bucket is not set.
  5. Repeat steps 2 to 4 to verify object level logging status of other S3 buckets.

From Command Line

  1. Run list-trails command to list the names of all AWS CloudTrail trails currently available in the selected AWS region:
aws cloudtrail list-trails --region <region-name> --query Trails[*].Name
  1. The command output will be a list of the requested trail names.
  2. Run get-event-selectors command using the name of the trail returned at the previous step and custom query filters to determine if Data events logging feature is enabled within the selected CloudTrail trail configuration for s3bucket resources:
aws cloudtrail get-event-selectors --region <region-name> --trail-name <trail-name> --query EventSelectors[*].DataResources[]
  1. The command output should be an array that contains the configuration of the AWS resource(S3 bucket) defined for the Data events selector.
  2. If the get-event-selectors command returns an empty array '[]', the Data events are not included into the selected AWS Cloudtrail trail logging configuration, therefore the S3 object-level API operations performed within your AWS account are not recorded.
  3. Repeat steps 1 to 5 for auditing each s3 bucket to identify other trails that are missing the capability to log Data events.
  4. Change the AWS region by updating the --region command parameter and perform the audit process for other regions.

Remediation

From Console

  1. Login to the AWS Management Console and navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/.
  2. Under Trails, select the trail you would like to enable object-level logging on.
  3. After selecting the Cloudtrail, under Data Events, click Edit. Select the Data events checkbox, select S3 from the Data event source dropdown, and select the Write checkbox against All current and future S3 buckets.
  4. Repeat steps 2 to 3 to enable object-level logging of S3 write events on other CloudTrail trails.

From Command Line

  1. To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "WriteOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
  1. If you want to enable it for all buckets at once then change Values parameter to ["arn:aws:s3"] in the preceding command.
  2. Repeat step 1 for each s3 bucket to update object-level logging of write events.
  3. Change the AWS region by updating the --region command parameter and perform the process for other regions.

References

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-cloudtrail-events.html

Last updated on