S3 bucket object-level logging for write events is disabled Affecting S3 service in AWS

Snyk CCSS

Logging / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00111
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.

How to fix?

Configure the aws_cloudtrail event_selector block with appropriate settings.

The event_selector block should contain:

A data_resource block with type set to AWS::S3::Object and values set to either the ARN for the aws_s3_bucket, or arn:aws:s3::: to apply to all buckets
read_write_type set to All or WriteOnly

Example configuration

resource "aws_s3_bucket" "bucket1" {
  # other required fields here
}

resource "aws_s3_bucket" "logged_bucket1" {
  # other required fields here
}

resource "aws_cloudtrail" "read_write_type_all" {
  name = "read_write_type_all"
  s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"

  event_selector {
    read_write_type = "All"

    data_resource {
      type = "AWS::S3::Object"
      values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
    }
  }
}

CloudFormation

Terraform

References

CloudTrail Logging