Cyscale
Back to controls

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Category

Controls

Low

Applies to

AWS

Coverage

1 queries

Asset types

1 covered

Overview

S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.

Rationale

By enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within an target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

Remediation guidance

Perform the following to enable S3 bucket logging:

Via the Management Console

  1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.
  2. Under All Buckets click on the target S3 bucket
  3. Click on Properties in the top right of the console
  4. Under Bucket: <s3_bucket_for_cloudtrail> click on Logging
  5. Configure bucket logging
  • Click on Enabled checkbox
  • Select Target Bucket from list
  • Enter a Target Prefix
  1. Click Save

**Default Value: **

Logging is disabled.

References

  1. CCE-78918-0
  2. CIS CSC v6.0 #14.6

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

AWS

Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

S3 bucket access logging is enabled on the CloudTrail S3 bucket

Connectors

AWS

Covered asset types

Bucket

Expected check: eq []

{buckets(where:{trails_NOT: null, loggingEnabled:false}){...AssetFragment}}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon