CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsObject-level S3 events (GetObject, DeleteObject, and PutObject) are not logged by default, though this is recommended from a security best practices perspective for buckets that contain sensitive data.
Configure the aws_cloudtrail
event_selector
block with appropriate settings.
The event_selector
block should contain:
type
set to AWS::S3::Object
and values
set to either the ARN for the aws_s3_bucket, or arn:aws:s3:::
to apply to all buckets.All
or ReadOnly
.resource "aws_s3_bucket" "bucket1" {
# other required fields here
}
resource "aws_s3_bucket" "logged_bucket1" {
# other required fields here
}
resource "aws_cloudtrail" "read_write_type_all" {
name = "read_write_type_all"
s3_bucket_name = "${aws_s3_bucket.ct_bucket1.id}"
event_selector {
read_write_type = "All"
data_resource {
type = "AWS::S3::Object"
values = ["${aws_s3_bucket.ct_bucket1.arn}/", "${aws_s3_bucket.logged_bucket1.arn}/"]
}
}
}
Configure the AWS::CloudTrail::Trail
EventSelector
block with appropriate settings.
The EventSelector
block should contain:
Type
set to AWS::S3::Object
and Values
set to the ARN for the AWS::S3::BucketAll
or ReadOnly
JSON example configuration:
{
"Type": "AWS::CloudTrail::Trail",
"Properties": {
"EventSelectors": [
{
"DataResources": [
{
"Type": "AWS::S3::Object",
"Values": [
{
"Fn::Sub": "arn:${AWS::Partition}:s3:::"
}
]
}
],
"ReadWriteType": "ReadOnly",
}
]
}
# other required fields here
}
YAML example configuration:
Type: AWS::CloudTrail::Trail
Properties:
EventSelectors:
- DataResources:
- Type: AWS::S3::Object
Values:
- !Sub "arn:${AWS::Partition}:s3:::"
ReadWriteType: ReadOnly
# other required fields here