Object-level logging should be enabled for S3 bucket read events

문서 > Datadog 보안 > OOTB Rules > Object-level logging should be enabled for S3 bucket read events

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

S3 object-level API read event operations, such as GetObject, DeleteObject, and PutObject, are classified as data events, which are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to meet data compliance requirements, perform comprehensive security analysis, and monitor user behavior patterns, allowing for immediate actions on object-level API activity using Amazon CloudWatch Events.

Remediation

To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.

Advanced Field Selectors:

```
{
    "field": "eventCategory",
    "equals": ["Data"]
},
{
    "field": "resources.type",
    "equals": ["AWS::S3::Object"]
},
{
    "field": "readOnly",
    "equals": ["true"]
},
```

Basic Field Selectors: { "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "readOnly" (or `all`) }

Additional fields such as eventType should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.