CloudTrail logs S3 bucket should not be public accessible

Description

The bucket policy or access control list (ACL) applied to the CloudTrail logs S3 bucket should prevent public access to the CloudTrail logs.

Rationale

Allowing public access to CloudTrail log content can help an adversary identify weaknesses in the affected account’s use or configuration.

Remediation

Perform the following steps to remove public access granted to the bucket through an ACL or S3 bucket policy.

From the console

  1. Go to Amazon S3 console.
  2. Right-click on the bucket and click Properties.
  3. In the Properties pane, click the Permissions tab.
  4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
  5. Select the row if it grants permission to Everyone or Any Authenticated User.
  6. Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).
  7. Click Save to save the ACL.
  8. If the Edit bucket policy button is present, click it.
  9. Remove any Statement having an Effect set to Allow and a Principal set to "*" or {"AWS" : "*"}.

Default value

By default, S3 buckets are not publicly accessible.

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html