AWS-CloudTrail-CloudTrail-Bucket-Private

Severity : Critical

Description: This control checks if CloudTrail logs files are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. CloudTrail buckets contain large amounts of sensitive account data and should only be accessible by logged in users.

Remediation Steps:

Perform following to update CloudTrail bucket Policies to only allow known users:

1. Login to the AWS Console at https://console.aws.amazon.com.

2. Navigate to S3 console.

3. In the navigation pane, choose Buckets.

4. Select the bucket which saves the CloudTrail log files.

5. Select the Properties tab.

6. Click on Access Control List button in the Permissions tab.

   1. Select row that grants permission to Everyone or Any Authenticated User.

   2. Uncheck all the permissions granted to Everyone or Any Authenticated User (click x to delete the row).

   3. Click Save to save the ACL.

7. Click Bucket Policy button in the Permissions tab.

   1. Remove any Statement having an Effect set to Allow and a Principal set to *.

   2. Click Save.

Important:

Reference:

• https://docs.aws.amazon.com/awscloudtrail/latest/userguide/security_iam_id-based-policy-examples.html#grant-cloudwatch-permissions-for-cloudtrail-users

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #3.3