S3 bucket object-level logging for read events is disabled Affecting S3 service in AWS


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Logging/ Configuration

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
AWS-Well-ArchitectedCIS-AWSCIS-ControlsHIPAAISO-27001NIST-800-53PCI-DSSSOC-2
  • Snyk IDSNYK-CC-00175
  • creditSnyk Research Team

Description

Object-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.

How to fix?

Configure the aws_cloudtrail event_selector block with appropriate settings.

The event_selector block should contain:

Example Configuration

resource "aws_s3_bucket" "bucket1" {
  # other required fields here
}
resource "aws_s3_bucket" "logged_bucket1" {
  # other required fields here
}
resource "aws_cloudtrail" "read_write_type_all" {
  name = "read_write_type_all"
  s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"
  event_selector {
    read_write_type = "All"
    data_resource {
      type = "AWS::S3::Object"
      values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
    }
  }
}