S3 bucket logging disabled

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

Enabling botocore endpoint debug logs for S3 operations captures detailed client request and response traces useful for detecting suspicious activity and supporting incident investigation. For Ansible tasks using the amazon.aws.s3_bucket or s3_bucket modules, the debug_botocore_endpoint_logs property must be defined and set to true. Tasks where this property is missing or set to false are flagged.

Debug logs can contain sensitive request data. Ensure they are collected, transmitted, and stored securely with appropriate access controls and retention policies.

Secure configuration example:

- name: Create S3 bucket with botocore endpoint debug logs enabled
  amazon.aws.s3_bucket:
    name: my-bucket
    state: present
    debug_botocore_endpoint_logs: true

Compliant Code Examples

- amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: true

Non-Compliant Code Examples

---
- name: "Create S3 bucket"
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: false