CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00109
- creditSnyk Research Team
Description
Bucket access logging tracks access requests to the S3 bucket storing CloudTrail log data and can be useful in security and incident response workflows.
How to fix?
Configure the aws_s3_bucket logging block to specify a target_bucket to receive access log objects.
For detailed instructions, see below:
- Find the S3 bucket used for CloudTrail logging by cross-referencing the aws_cloudtrail s3_bucket_name field with the logging aws_s3_bucket bucket field.
- Ensure that the aws_s3_bucket has a
loggingblock that specifies a target_bucket that will receive the log objects, and optionally, a target_prefix.
Example configuration:
resource "aws_s3_bucket" "cloudtrail_bucket" {
bucket = "cloudtrail-bucket"
logging {
target_bucket = "${aws_s3_bucket.log_bucket.id}"
target_prefix = "log/"
}
# other required fields here
}
Configure the AWS::CloudTrail::Trail LoggingConfiguration block to specify a DestinationBucketName to receive access log objects.
For detailed instructions, see below:
- Find the S3 bucket used for CloudTrail logging by cross-referencing the AWS::CloudTrail::Trail S3BucketName field with the logging AWS::S3::Bucket BucketName field.
- Ensure that the AWS::S3::Bucket has a
LoggingConfigurationblock that specifies a DestinationBucketName that will receive the log objects, and optionally, a LogFilePrefix.
Example configuration:
JSON example configuration:
{
"Type": "AWS::S3::Bucket",
"Properties": {
"LoggingConfiguration": {
"DestinationBucketName": {
"Ref": "LoggingBucket"
},
"LogFilePrefix": "testing-logs"
}
}
# other required fields here
}
YAML example configuration:
Type: AWS::S3::Bucket
Properties:
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: testing-logs
# other required fields here