How do I ensure the S3 bucket CloudTrail logs to is not publicly accessible?
Go to Amazon S3 console at https://console.aws.amazon.com/s3/home. Click on the bucket used to store CloudTrail logs and select Permissions tab. Ensure block public access is enabled for that bucket. Then go to Access Control list, it shows a list of grants, one row per grant, in the bucket ACL.
Go to Amazon S3 console at https://console.aws.amazon.com/s3/home. Click on the bucket used to store CloudTrail logs and select Permissions tab. Ensure block public access is enabled for that bucket. Then go to Access Control list, it shows a list of grants, one row per grant, in the bucket ACL.
In order to ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access at the account level. These settings apply account-wide for all current and future buckets.
Use server-side encryption with AWS KMS managed keys
To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files. To use SSE-KMS with CloudTrail, you create and manage an AWS KMS key, also known as a KMS key.
How can I secure my CloudTrail log files? By default, CloudTrail log files are encrypted using S3 server-side encryption (SSE) and placed into your S3 bucket. You can control access to log files by applying IAM or S3 bucket policies.
- Open the Amazon S3 console.
- Navigate to All Buckets and select the target S3 bucket.
- At the top right of the console, click Properties.
- Under Bucket: <s3_bucket_for_cloudtrail>, select Logging.
- Configure bucket logging: a) Select Enabled.
To add the required CloudTrail policy to an Amazon S3 bucket
Open the Amazon S3 console at https://console.aws.amazon.com/s3/ . Choose the bucket where you want CloudTrail to deliver your log files, and then choose Permissions. Choose Edit. Copy the S3 bucket policy to the Bucket Policy Editor window.
With Amazon S3 bucket policies, you can secure access to objects in your buckets, so that only users with the appropriate permissions can access them. You can even prevent authenticated users without the appropriate permissions from accessing your Amazon S3 resources.
- block_public_acls : Blocks new public ACLs and uploading public objects.
- block_public_policy : Blocks new public bucket policies.
- ignore_public_acls : Ignore all public ACLs on a bucket and any objects that it contains.
To make the objects in your bucket publicly readable, you must write a bucket policy that grants everyone s3:GetObject permission. After you edit S3 Block Public Access settings, you can add a bucket policy to grant public read access to your bucket.
How do I ensure CloudTrail log file validation is enabled?
- Open the IAM console.
- On the left navigation pane, click Trails.
- Select the target trail.
- Navigate to the S3 section, click the edit icon (pencil).
- Click Advanced.
- In the Enable log file validation section, select Yes.
- Click Save.
To turn off logging for a trail with the CloudTrail console
At the top of the trail details page, choose Stop logging to turn off logging for the trail. When you are prompted to confirm, choose Stop logging.
CloudTrail monitors events for your account. If you create a trail, it delivers those events as log files to your Amazon S3 bucket. If you create an event data store in CloudTrail Lake, events are logged to your event data store.
CloudTrail publishes log files to your S3 bucket in a gzip archive. In the S3 bucket, the log file has a formatted name that includes the following elements: The bucket name that you specified when you created trail (found on the Trails page of the CloudTrail console)
- In the navigation pane, choose Event history.
- Choose Create Athena table.
- For Storage location, use the down arrow to select the Amazon S3 bucket where log files are stored for the trail to query. Note. ...
- Choose Create table.
CloudTrail delivers log files to your S3 bucket approximately every 5 minutes. CloudTrail does not deliver log files if no API calls are made on your account.
- Monitoring tools.
- Logging options.
- Logging with CloudTrail. CloudTrail events. Example log files. ...
- Logging server access. Enabling server access logging. Log format. ...
- Monitoring metrics with CloudWatch. Metrics and dimensions. Accessing CloudWatch metrics. ...
- Amazon S3 Event Notifications. Notification types and destinations.
- In the navigation pane, choose Logs.
- Select the name of the log group for your Lambda function ( /aws/lambda/ function-name ).
- Select the name of the log stream to view the data provided by the function for the instance that you launched.
- Sign in with sufficient permissions as documented in Step 2: Set up access permissions.
- In the navigation pane, choose Log groups.
- On the Log Groups screen, choose the name of the log group.
- Choose Actions, Export data to Amazon S3.
- In the navigation pane, choose Trails.
- Choose the name of the trail for which you want to disable CloudWatch Logs integration.
- In CloudWatch Logs, choose Edit.
- Clear the Enabled check box.
How do I check access to my S3 bucket?
- In the navigation pane, choose Access analyzer for S3.
- To see whether public access or shared access is granted through a bucket policy, a bucket ACL, a Multi-Region Access Point policy, or an access point policy, look in the Shared through column.
You can use CloudTrail data events to get information about bucket and object-level requests in Amazon S3. To enable CloudTrail data events for all of your buckets or for a list of specific buckets, you must create a trail manually in CloudTrail.
S3 bucket access logging captures information on all requests made to a bucket, such as PUT, GET, and DELETE actions. Bucket access logging is a recommended security best practice that can help teams with upholding compliance standards or identifying unauthorized access to your data.
S3 bucket policies (as the name would imply) only control access to S3 resources for the bucket they're attached to, whereas IAM policies can specify nearly any AWS action.
You can create a bucket policy that restricts access to a specific VPC by using the aws:SourceVpc condition. This is useful if you have multiple VPC endpoints configured in the same VPC, and you want to manage access to your Amazon S3 buckets for all of your endpoints.
References
- https://csrc.nist.gov/files/pubs/shared/itlb/itlbul1997-03.txt
- https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
- https://www.blueorangecompliance.com/a-reminder-to-keep-visitor-logs/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html
- https://www.techtarget.com/searchcio/tip/4-steps-to-remain-compliant-with-SOX-data-retention-policies
- https://learn.microsoft.com/en-us/purview/audit-new-search
- https://neqterlabs.com/nist-sp-800-171-requirement-3-3-audit-accountability/
- https://www.logicmonitor.com/blog/what-is-log-retention
- https://www.lightspeedhq.com/blog/employee-record-retention-requirements/
- https://www.hipaajournal.com/hipaa-retention-requirements/
- https://support.google.com/a/answer/7061566?hl=en
- https://www.californiaemploymentlawreport.com/2022/04/five-reminders-about-employment-record-retention-obligations-under-california-law/
- https://cloud.google.com/data-catalog/docs/how-to/audit-logging
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html
- https://reciprocity.com/blog/audit-log-best-practices-for-information-security/
- https://www.auditboard.com/blog/security-log-retention-best-practices/
- https://library.netapp.com/ecmdocs/ECMP1196889/html/GUID-858AB4B4-1A85-4DA1-BB8D-45FFA6A8EBF5.html
- https://phoenixnap.com/kb/apache-access-log
- https://learn.microsoft.com/en-us/purview/audit-log-retention-policies
- https://www.securitymetrics.com/blog/importance-log-management
- https://aws.amazon.com/s3/features/block-public-access/
- https://www.semrush.com/kb/880-access-log
- https://aws.amazon.com/cloudtrail/faqs/
- https://www.logsign.com/blog/how-long-should-security-logs-be-kept/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html
- https://www.ispartnersllc.com/blog/standards-developing-data-retention-policy/
- https://pcidssguide.com/what-are-the-pci-dss-log-retention-requirements/
- https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
- https://www.edureka.co/community/57540/is-audit-logging-enabled-by-default-on-gcp
- https://www.strongdm.com/blog/audit-log-review-management
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
- https://www.techtarget.com/searchwindowsserver/definition/Windows-event-log
- https://learn.microsoft.com/en-us/windows-server/administration/user-access-logging/get-started-with-user-access-logging
- https://reciprocity.com/resources/what-are-the-pci-audit-log-retention-requirements/
- https://www.geminidataloggers.com/support/knowledge-base/benefits-of-using-data-loggers
- https://www.mezmo.com/learn-security/what-are-security-event-logs
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-turning-off-logging.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
- https://www.crowdstrike.com/cybersecurity-101/observability/log-file/
- https://www.evansjones.co.uk/services/access/access-audits.php
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html
- https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-log-s3-data-events.html
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
- https://reciprocity.com/blog/what-is-an-audit-trail-and-what-purpose-does-it-serve/
- https://www.datadoghq.com/knowledge-center/audit-logging/
- https://www.sentinelone.com/cybersecurity-101/what-is-an-access-log/
- https://www.amazonaws.cn/en/cloudtrail/faqs/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html
- https://www.varonis.com/blog/nist-800-53
- https://www.xcitium.com/log-files/
- https://www.xplg.com/what-is-access-log-101/
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html
- https://lewisbrisbois.com/blog/category/labor-employment/california-employers-new-law-expands-record-retention-requirements
- https://www.pulumi.com/ai/answers/nk7ayD6U9DmDi69S2HLzCx/setting-up-aws-s3-bucket-public-access-block-with-terraform
- https://docs.bridgecrew.io/docs/logging_6
- https://panther.com/cyber-explained/s3-bucket-access-logging/
- https://www.quora.com/What-is-the-difference-between-an-access-log-and-an-error-log
- https://docs.bridgecrew.io/docs/logging_2
- https://www.bitlyft.com/resources/collecting-retaining-audit-logs-office-365
- https://www.schellman.com/blog/healthcare-compliance/hipaa-audit-log-retention-policy
- https://www.sec.gov/rules/2003/01/retention-records-relevant-audits-and-reviews
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
- https://ictsmart.tripod.com/ict4/print/partdlpc.htm
- https://cloud.google.com/logging/docs/audit
- https://cybersecurity.att.com/blogs/security-essentials/pci-dss-logging-requirements-explained
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://www.geminidataloggers.com/info/what_is_a_data_logger
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
- https://www.crowdstrike.com/cybersecurity-101/observability/access-logs/
- https://en.wikipedia.org/wiki/Data_logger
- https://gsl.dome9.com/D9.AWS.LOG.08.html
