CloudWatch log metric filter and alarm are not set for S3 bucket policy changes Affecting CloudWatch service in AWS
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Monitoring/ Accounts Monitoring
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-ArchitectedCIS-AWSCIS-ControlsHIPAAISO-27001PCI-DSS
- Snyk IDSNYK-CC-00154
- creditSnyk Research Team
Description
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.
How to fix?
Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.
Use the following pattern attribute set:
$.eventSource=s3.amazonaws.com
$.eventName=PutBucketAcl
$.eventName=PutBucketPolicy
$.eventName=PutBucketCors
$.eventName=PutBucketLifecycle
$.eventName=PutBucketReplication
$.eventName=DeleteBucketPolicy
$.eventName=DeleteBucketCors
$.eventName=DeleteBucketLifecycle
$.eventName=DeleteBucketReplication