Object-level logging should be enabled for S3 bucket write events
Description
S3 object-level API write event operations, such as GetObject
, DeleteObject
, and PutObject
, are considered data events and are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to capture these events for better compliance, security analysis, and monitoring of user activity patterns within your AWS account.
To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.
Advanced Field Selectors:
```
{
"field": "eventCategory",
"equals": ["Data"]
},
{
"field": "resources.type",
"equals": ["AWS::S3::Object"]
},
{
"field": "readOnly",
"equals": ["false"]
},
```
Basic Field Selectors:
{ "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "writeOnly" (or `all`) }
Additional fields such as eventType
should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.