CloudWatch log metric filter and alarm are not set for S3 bucket policy changes Affecting CloudWatch service in AWS
Severity Framework
Snyk CCSS
Rule category
Monitoring / Accounts Monitoring
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-AWS
CIS-Controls
HIPAA
ISO-27001
PCI-DSS
- Snyk ID SNYK-CC-00154
- credit Snyk Research Team
Description
Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets.
How to fix?
Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.
Use the following pattern attribute set:
$.eventSource=s3.amazonaws.com
$.eventName=PutBucketAcl
$.eventName=PutBucketPolicy
$.eventName=PutBucketCors
$.eventName=PutBucketLifecycle
$.eventName=PutBucketReplication
$.eventName=DeleteBucketPolicy
$.eventName=DeleteBucketCors
$.eventName=DeleteBucketLifecycle
$.eventName=DeleteBucketReplication