S3 bucket logging disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket logging disabled

Metadata

Id: c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Provider Reference

Description

Enabling botocore endpoint debug logs for S3 operations captures detailed client request and response traces useful for detecting suspicious activity and supporting incident investigation. For Ansible tasks using the amazon.aws.s3_bucket or s3_bucket modules, the debug_botocore_endpoint_logs property must be defined and set to true. Tasks where this property is missing or set to false are flagged.

Debug logs can contain sensitive request data. Ensure they are collected, transmitted, and stored securely with appropriate access controls and retention policies.

Secure configuration example:

- name: Create S3 bucket with botocore endpoint debug logs enabled
  amazon.aws.s3_bucket:
    name: my-bucket
    state: present
    debug_botocore_endpoint_logs: true

Compliant Code Examples

- amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: true

Non-Compliant Code Examples

---
- name: "Create S3 bucket"
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    debug_botocore_endpoint_logs: false