S3 server access logging is disabled Affecting S3 service in AWS

    Severity Framework Snyk CCSS
    Rule category Logging / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    AWS-Well-Architected CIS-Controls HIPAA NIST-800-53
  • Snyk ID SNYK-CC-00021
  • credit Snyk Research Team


Enabling server access logging provides detailed records for the requests that are made to a S3 bucket. This information is useful for security and compliance auditing purposes.

How to fix?

For AWS provider < v4.0.0, add logging block attribute. For AWS provider >= v4.0.0, add aws_s3_bucket_logging resource.

Example Configuration

# < v4.0.0
resource "aws_s3_bucket" "validbucket1" {
  bucket = "valid-bucket1"
  acl    = "private"

  logging {
    target_bucket = "${aws_s3_bucket.logbucket.id}"
    target_prefix = "log/"

# >= v4.0.0
resource "aws_s3_bucket" "bucket1" {
  force_destroy = true

resource "aws_s3_bucket_acl" "acl1" {
  bucket = aws_s3_bucket.bucket1.id
  acl    = "log-delivery-write"

resource "aws_s3_bucket_logging" "logging1" {
  bucket        = aws_s3_bucket.bucket1.id
  target_bucket = aws_s3_bucket.bucket1.id
  target_prefix = "log/"