metadata: id: 49c71814-2dbe-5204-ad07-879a80503fbc name: Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible profile_applicability: '* Level 1' description: |- CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. rationale: |- Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration. audit: |- Perform the following to determine if any public access is granted to an S3 bucket via an ACL or S3 bucket policy: **From Console:** 1. Go to the Amazon CloudTrail console at [https://console.aws.amazon.com/cloudtrail/home](https://console.aws.amazon.com/cloudtrail/home) 2. In the `API activity history` pane on the left, click `Trails` 3. In the `Trails` pane, note the bucket names in the `S3 bucket` column 4. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 5. For each bucket noted in step 3, right-click on the bucket and click `Properties` 6. In the `Properties` pane, click the `Permissions` tab. 7. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 8. Ensure no rows exists that have the `Grantee` set to `Everyone` or the `Grantee` set to `Any Authenticated User.` 9. If the `Edit bucket policy` button is present, click it to review the bucket policy. 10. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to "\*" or {"AWS" : "\*"} **From Command Line:** 11. Get the name of the S3 bucket that CloudTrail is logging to: ``` aws cloudtrail describe-trails --query 'trailList[*].S3BucketName' ``` 12. Ensure the `AllUsers` principal is not granted privileges to that `<bucket>` : ``` aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/AllUsers` ]' ``` 13. Ensure the `AuthenticatedUsers` principal is not granted privileges to that `<bucket>`: ``` aws s3api get-bucket-acl --bucket <s3_bucket_for_cloudtrail> --query 'Grants[?Grantee.URI== `https://acs.amazonaws.com/groups/global/Authenticated Users` ]' ``` 14. Get the S3 Bucket Policy ``` aws s3api get-bucket-policy --bucket <s3_bucket_for_cloudtrail> ``` 15. Ensure the policy does not contain a `Statement` having an `Effect` set to `Allow` and a `Principal` set to "\*" or {"AWS" : "\*"} **Note:** Principal set to "\*" or {"AWS" : "\*"} allows anonymous access. remediation: |- Perform the following to remove any public access that has been granted to the bucket via an ACL or S3 bucket policy: 1. Go to Amazon S3 console at [https://console.aws.amazon.com/s3/home](https://console.aws.amazon.com/s3/home) 2. Right-click on the bucket and click Properties 3. In the `Properties` pane, click the `Permissions` tab. 4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted. 5. Select the row that grants permission to `Everyone` or `Any Authenticated User` 6. Uncheck all the permissions granted to `Everyone` or `Any Authenticated User` (click `x` to delete the row). 7. Click `Save` to save the ACL. 8. If the `Edit bucket policy` button is present, click it. 9. Remove any `Statement` having an `Effect` set to `Allow` and a `Principal` set to "\*" or {"AWS" : "\*"}. impact: '' default_value: '' references: 1. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html section: Logging version: '1.0' tags: - CIS - AWS - CIS 3.3 - Logging benchmark: name: CIS Amazon Web Services Foundations version: v1.5.0 id: cis_aws rule_number: '3.3' posture_type: cspm