S3 bucket object-level logging for read events is disabled Affecting S3 service in AWS

Configure the aws_cloudtrail event_selector block with appropriate settings.

The event_selector block should contain:

• A data_resource block with type set to AWS::S3::Object and values set to either the ARN for the aws_s3_bucket, or arn:aws:s3::: to apply to all buckets.
• read_write_type set to All or ReadOnly.

Example configuration:

resource "aws_s3_bucket" "bucket1" {
  # other required fields here
}
resource "aws_s3_bucket" "logged_bucket1" {
  # other required fields here
}
resource "aws_cloudtrail" "read_write_type_all" {
  name = "read_write_type_all"
  s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"
  event_selector {
    read_write_type = "All"
    data_resource {
      type = "AWS::S3::Object"
      values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
    }
  }
}

Configure the AWS::CloudTrail::Trail EventSelector block with appropriate settings.

The EventSelector block should contain:

• A DataResource block with Type set to AWS::S3::Object and Values set to the ARN for the AWS::S3::Bucket
• ReadWriteType set to All or ReadOnly

Example configuration:

JSON example configuration:

{
  "Type": "AWS::CloudTrail::Trail",
  "Properties": {
    "EventSelectors": [
      {
        "DataResources": [
          {
            "Type": "AWS::S3::Object",
            "Values": [
              {
                "Fn::Sub": "arn:${AWS::Partition}:s3:::"
              }
            ]
          }
        ],
        "ReadWriteType": "ReadOnly",
      }
    ]
  }
  # other required fields here
}

YAML example configuration:

Type: AWS::CloudTrail::Trail
Properties:
  EventSelectors:
    - DataResources:
        - Type: AWS::S3::Object
          Values:
            - !Sub "arn:${AWS::Partition}:s3:::"
      ReadWriteType: ReadOnly
# other required fields here