S3 bucket logging disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

Enabling botocore endpoint debug logs for S3 operations captures detailed client request and response traces useful for detecting suspicious activity and supporting incident investigation. For Ansible tasks using the amazon.aws.s3_bucket or s3_bucket modules, the debug_botocore_endpoint_logs property must be defined and set to true. Tasks where this property is missing or set to false are flagged.

Debug logs can contain sensitive request data. Ensure they are collected, transmitted, and stored securely with appropriate access controls and retention policies.

Secure configuration example:

- name: Create S3 bucket with botocore endpoint debug logs enabled
  amazon.aws.s3_bucket:
    name: my-bucket
    state: present
    debug_botocore_endpoint_logs: true

Compliant Code Examples

- amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: true

Non-Compliant Code Examples

---
- name: "Create S3 bucket"
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: false