How to Find AWS CloudTrail Object-Level Logging for S3 bucket Read Events is Disabled

Problem

If logs are not enabled, monitoring of service use and threat analysis is not possible.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity low.

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions

1. Execute the following search command in Resoto Shell or Resoto UI:

   > search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="true")
   ​kind=aws_region, ..., region=resoto-poweruser
   ​kind=aws_region, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="true") | dump
   ​reported:
   ​  id: /aws/cloudtrail/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_region
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_region resources.

3. Fix detected issues by following the remediation steps:

   • Enable logs.
   • Create an S3 lifecycle policy.
   • Define use cases, metrics and automated responses where applicable.
   note

   Please refer to the AWS CloudTrail documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_region Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks cisecurity.org
• AWS Documentation docs.aws.amazon.com