Skip to main content

How to Find AWS Regions Where CloudTrail Object-Level Logging for S3 Read Events Is Disabled

If logs are not enabled, monitoring of service use and threat analysis is not possible.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity low.

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="true")
    ​kind=aws_region, ..., region=fixinventory-poweruser
    ​kind=aws_region, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="true") | dump
    ​reported:
    ​ id: /aws/cloudtrail/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_region
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_region resources.

Remediation​

  • Enable logs.
  • Create an S3 lifecycle policy.
  • Define use cases, metrics and automated responses where applicable.
note

Please refer to the AWS CloudTrail documentation for details.

Further Reading​