Severity Framework
Snyk CCSS
Rule category
Logging / Audit
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-AWS
CIS-Controls
CSA-CCM
HIPAA
NIST-800-53
PCI-DSS
- Snyk ID SNYK-CC-00109
- credit Snyk Research Team
Description
Bucket access logging tracks access requests to the S3 bucket storing CloudTrail log data and can be useful in security and incident response workflows.
How to fix?
Configure the aws_s3_bucket logging block to specify a target_bucket to receive access log objects.
For detailed instructions, see below:
- Find the S3 bucket used for CloudTrail logging by cross-referencing the aws_cloudtrail s3_bucket_name field with the logging aws_s3_bucket bucket field.
- Ensure that the aws_s3_bucket has a
loggingblock that specifies a target_bucket that will receive the log objects, and optionally, a target_prefix.
Example Configuration
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "cloudtrail-bucket"
logging {
target_bucket = "${aws_s3_bucket.log_bucket.id}"
target_prefix = "log/"
}
# other required fields here
}