CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00111
- creditSnyk Research Team
Description
Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.
How to fix?
Configure the aws_cloudtrail event_selector block with appropriate settings.
The event_selector block should contain:
- A data_resource block with
typeset toAWS::S3::Objectandvaluesset to either the ARN for the aws_s3_bucket, orarn:aws:s3:::to apply to all buckets - read_write_type set to
AllorWriteOnly
Example configuration
resource "aws_s3_bucket" "bucket1" {
# other required fields here
}
resource "aws_s3_bucket" "logged_bucket1" {
# other required fields here
}
resource "aws_cloudtrail" "read_write_type_all" {
name = "read_write_type_all"
s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"
event_selector {
read_write_type = "All"
data_resource {
type = "AWS::S3::Object"
values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
}
}
}
Configure the AWS::CloudTrail::Trail EventSelector block with appropriate settings.
The EventSelector block should contain:
- A DataResource block with
Typeset toAWS::S3::ObjectandValuesset to the ARN for the AWS::S3::Bucket - ReadWriteType set to
AllorWriteOnly
Example configuration
Type: AWS::CloudTrail::Trail
Properties:
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- !Sub "arn:${AWS::Partition}:s3:::"
ReadWriteType: WriteOnly
# other required fields here