S3 bucket access logging should be enabled on the CloudTrail S3 bucket

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Default value

Logging is disabled.

Rationale

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation

From the console

  1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
  2. Under All Buckets, click on the target S3 bucket.
  3. Click on Properties in the top right of the console.
  4. Under Bucket: <s3_bucket_for_cloudtrail>, click Logging.
  5. Configure bucket logging and select the Enabled checkbox.
  6. Select the target bucket from the list, and enter a Target Prefix.
  7. Click Save.

References

  1. CCE-78918-0
  2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html[2]