AWSOverview
S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.
Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity using Amazon CloudWatch Events.
Remediation guidance
From Console
- Open the Amazon S3 console S3
- Choose the required bucket from the bucket list.
- Choose
Propertiestab to see in detail bucket configuration. - Navigate to
AWS CloudTrail data eventssection to select the CloudTrail name for the recording activity. - You can choose an existing Cloudtrail or create a new one by navigating to the Cloudtrail console link from S3.
- Once the Cloudtrail console, navigate to
Data events : S3section. - If the current status for Object-level logging is set to Disabled, then object-level logging of
readevents for the selected s3 bucket is not set- Select Edit to enable the
Readevent. - You can choose to select
All current and future S3 bucketsorIndividual bucket.
- Select Edit to enable the
- Repeat steps 2 to 7 to enable object-level logging of read events for other S3 buckets.
From Command Line
- To enable object-level data events logging for S3 buckets within your AWS account, run put-event-selectors command using the name of the trail that you want to reconfigure as identifier:
aws cloudtrail put-event-selectors --region <region-name> --trail-name <trail-name> --event-selectors '[{ "ReadWriteType": "ReadOnly", "IncludeManagementEvents":true, "DataResources": [{ "Type": "AWS::S3::Object", "Values": ["arn:aws:s3:::<s3-bucket-name>/"] }] }]'
- The command output will be object-level event trail configuration.
- If you want to enable it for all buckets at once then change Values parameter to
["arn:aws:s3"]in command given above. - Repeat step 1 for each s3 bucket to update
object-levellogging of write events. - Change the AWS region by updating the --region command parameter and perform the process for other regions.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}
