--- title: S3 bucket logging disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > S3 bucket logging disabled --- # S3 bucket logging disabled {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `f861041c-8c9f-4156-acfc-5e6e524f5884` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) ### Description{% #description %} Server access logging should be enabled on S3 Buckets so that all changes are logged and trackable. Without the `logging` block in your Terraform configuration, such as shown below, access and modification events to the S3 bucket will not be recorded, making it difficult to detect unauthorized access or investigate security incidents. ``` resource "aws_s3_bucket" "example" { bucket = "my-tf-test-bucket" acl = "private" } ``` This lack of logging can result in untraceable data exposure or loss if the bucket is misused or compromised. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "4.2.0" } } } provider "aws" { # Configuration options } resource "aws_s3_bucket" "example" { bucket = "my-tf-example-bucket" } resource "aws_s3_bucket_logging" "example" { bucket = aws_s3_bucket.example.id target_bucket = aws_s3_bucket.log_bucket.id target_prefix = "log/" } ``` ```terraform module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" bucket = "my-s3-bucket" acl = "private" versioning = { enabled = true } logging { target_bucket = "logs" } } ``` ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } resource "aws_s3_bucket" "negative1" { bucket = "my-tf-test-bucket" acl = "private" tags = { Name = "My bucket" Environment = "Dev" } logging { target_bucket = "logs" } versioning { mfa_delete = true } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.7.0" bucket = "my-s3-bucket" acl = "private" versioning = { enabled = true } } ``` ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "4.2.0" } } } provider "aws" { # Configuration options } resource "aws_s3_bucket" "examplee" { bucket = "my-tf-example-bucket" } ``` ```terraform provider "aws" { region = "us-east-1" } terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 3.0" } } } resource "aws_s3_bucket" "positive1" { bucket = "my-tf-test-bucket" acl = "private" tags = { Name = "My bucket" Environment = "Dev" } versioning { mfa_delete = true } } ```