S3 server access logging is disabled Affecting S3 service in AWS

Severity Framework Snyk CCSS

Rule category Logging / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-Controls HIPAA NIST-800-53

Snyk ID SNYK-CC-00021
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enabling server access logging provides detailed records for the requests that are made to a S3 bucket. This information is useful for security and compliance auditing purposes.

How to fix?

For AWS provider < v4.0.0, add logging block attribute. For AWS provider >= v4.0.0, add aws_s3_bucket_logging resource.

Example Configuration

# < v4.0.0
resource "aws_s3_bucket" "validbucket1" {
  bucket = "valid-bucket1"
  acl    = "private"

  logging {
    target_bucket = "${aws_s3_bucket.logbucket.id}"
    target_prefix = "log/"
  }
}

# >= v4.0.0
resource "aws_s3_bucket" "bucket1" {
  force_destroy = true
}

resource "aws_s3_bucket_acl" "acl1" {
  bucket = aws_s3_bucket.bucket1.id
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket_logging" "logging1" {
  bucket        = aws_s3_bucket.bucket1.id
  target_bucket = aws_s3_bucket.bucket1.id
  target_prefix = "log/"
}

References

Logging requests using server access logging