S3 bucket object-level logging for write events is disabled Affecting S3 service in AWS

    Severity Framework Snyk CCSS
    Rule category Logging / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    AWS-Well-Architected CIS-AWS CIS-Controls HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00111
  • credit Snyk Research Team


Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.

How to fix?

Configure the aws_cloudtrail event_selector block with appropriate settings.

The event_selector block should contain:

Example configuration

resource "aws_s3_bucket" "bucket1" {
  # other required fields here

resource "aws_s3_bucket" "logged_bucket1" {
  # other required fields here

resource "aws_cloudtrail" "read_write_type_all" {
  name = "read_write_type_all"
  s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"

  event_selector {
    read_write_type = "All"

    data_resource {
      type = "AWS::S3::Object"
      values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]