How to Find AWS Regions Where CloudTrail Object-Level Logging for S3 Write Events Is Disabled
If logs are not enabled, monitoring of service use and threat analysis is not possible.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity low.
Prerequisites
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="false")
kind=aws_region, ..., region=fixinventory-poweruser
kind=aws_region, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and trail_event_selectors[*].field_selectors.eventCategory.equals[*]=Data and trail_event_selectors[*].field_selectors.`resources.type`.equals[*]=AWS::S3::Object and trail_event_selectors[*].field_selectors.readOnly.equals[*]!="false") | dump
reported:
id: /aws/cloudtrail/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_region
age: 2mo28dThe command output will list the details of all non-compliant
aws_region
resources.
Remediation
- Enable logs.
- Create an S3 lifecycle policy.
- Define use cases, metrics and automated responses where applicable.
note
Please refer to the AWS CloudTrail documentation for details.