Severity Framework
Snyk CCSS
Rule category
Logging / Configuration
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-AWS
CIS-Controls
HIPAA
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00175
- credit Snyk Research Team
Description
Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.
How to fix?
Configure the aws_cloudtrail
event_selector
block with appropriate settings.
The event_selector
block should contain:
- A data_resource block with
type
set toAWS::S3::Object
andvalues
set to either the ARN for the aws_s3_bucket, orarn:aws:s3:::
to apply to all buckets. - read_write_type set to
All
orReadOnly
.
Example Configuration
resource "aws_s3_bucket" "bucket1" {
# other required fields here
}
resource "aws_s3_bucket" "logged_bucket1" {
# other required fields here
}
resource "aws_cloudtrail" "read_write_type_all" {
name = "read_write_type_all"
s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"
event_selector {
read_write_type = "All"
data_resource {
type = "AWS::S3::Object"
values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
}
}
}