S3 bucket access logging is not enabled on S3 buckets that store CloudTrail log files Affecting S3 service in AWS

    Severity Framework Snyk CCSS
    Rule category Logging / Audit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM HIPAA NIST-800-53 PCI-DSS
  • Snyk ID SNYK-CC-00109
  • credit Snyk Research Team


Bucket access logging tracks access requests to the S3 bucket storing CloudTrail log data and can be useful in security and incident response workflows.

How to fix?

Configure the aws_s3_bucket logging block to specify a target_bucket to receive access log objects.

For detailed instructions, see below:

Example Configuration

resource "aws_s3_bucket" "cloudtrail_bucket" {
  bucket = "cloudtrail-bucket"
  logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "log/"
  # other required fields here