Object-level logging should be enabled for S3 bucket read events

Documentos > Datadog Security > OOTB Rules > Object-level logging should be enabled for S3 bucket read events

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

S3 object-level API read event operations, such as GetObject, DeleteObject, and PutObject, are classified as data events, which are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to meet data compliance requirements, perform comprehensive security analysis, and monitor user behavior patterns, allowing for immediate actions on object-level API activity using Amazon CloudWatch Events.

Remediation

To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.

Advanced Field Selectors:

```
{
    "field": "eventCategory",
    "equals": ["Data"]
},
{
    "field": "resources.type",
    "equals": ["AWS::S3::Object"]
},
{
    "field": "readOnly",
    "equals": ["true"]
},
```

Basic Field Selectors: { "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "readOnly" (or `all`) }

Additional fields such as eventType should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.