Object-level logging should be enabled for S3 bucket write events

cloudtrail

Description

S3 object-level API write event operations, such as GetObject, DeleteObject, and PutObject, are considered data events and are not logged by default in CloudTrail. Enabling object-level logging for S3 buckets is recommended to capture these events for better compliance, security analysis, and monitoring of user activity patterns within your AWS account.

Remediation

To satisfy this check, a multi-region CloudTrail should be created using either Advanced or Basic Field Selectors.

Advanced Field Selectors:

```
{
    "field": "eventCategory",
    "equals": ["Data"]
},
{
    "field": "resources.type",
    "equals": ["AWS::S3::Object"]
},
{
    "field": "readOnly",
    "equals": ["false"]
},
```

Basic Field Selectors: { "type": "AWS::S3::Object", "values": ["arn:aws:s3"] }, { "read_write_type": "writeOnly" (or `all`) }

Additional fields such as eventType should not be used, as these will filter the scope of logging. For instructions on enabling object-level logging for S3 buckets in CloudTrail, refer to the AWS CloudTrail User Guide on Logging Data Events.