S3 Bucket Logging Disabled
- Query id: 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c
- Query name: S3 Bucket Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mybucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
"Fn::GetAtt":
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
"Fn::Join":
- ""
- - "arn:aws:s3:::"
- "Fn::Join":
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ""
Status: Enabled
VersioningConfiguration:
Status: Enabled
WorkItemBucketBackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: Allow
Principal:
Service:
- s3.amazonaws.com
BucketBackupPolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyDocument:
Statement:
- Action:
- "s3:GetReplicationConfiguration"
- "s3:ListBucket"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- Ref: RecordServiceS3Bucket
- Action:
- "s3:GetObjectVersion"
- "s3:GetObjectVersionAcl"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- Ref: RecordServiceS3Bucket
- /*
- Action:
- "s3:ReplicateObject"
- "s3:ReplicateDelete"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- "Fn::Join":
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
- /*
PolicyName: BucketBackupPolicy
Roles:
- Ref: WorkItemBucketBackupRole
Positive test num. 2 - json file
{
"Description": "A sample template",
"Resources": {
"WorkItemBucketBackupRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com"
]
}
}
]
}
}
},
"BucketBackupPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "RecordServiceS3Bucket"
}
]
]
}
],
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "RecordServiceS3Bucket"
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
},
"/*"
]
]
}
]
}
]
},
"PolicyName": "BucketBackupPolicy",
"Roles": [
{
"Ref": "WorkItemBucketBackupRole"
}
]
}
},
"mybucket": {
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [
{
"Prefix": "",
"Status": "Enabled",
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
},
"Id": "Backup"
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
RecordServiceS3Bucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
"Fn::GetAtt":
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
"Fn::Join":
- ""
- - "arn:aws:s3:::"
- "Fn::Join":
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ""
Status: Enabled
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: !Ref LoggingBucket
LogFilePrefix: loga/
WorkItemBucketBackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: Allow
Principal:
Service:
- s3.amazonaws.com
BucketBackupPolicy:
Type: "AWS::IAM::Policy"
Properties:
PolicyDocument:
Statement:
- Action:
- "s3:GetReplicationConfiguration"
- "s3:ListBucket"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- Ref: RecordServiceS3Bucket
- Action:
- "s3:GetObjectVersion"
- "s3:GetObjectVersionAcl"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- Ref: RecordServiceS3Bucket
- /*
- Action:
- "s3:ReplicateObject"
- "s3:ReplicateDelete"
Effect: Allow
Resource:
- "Fn::Join":
- ""
- - "arn:aws:s3:::"
- "Fn::Join":
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
- /*
PolicyName: BucketBackupPolicy
Roles:
- Ref: WorkItemBucketBackupRole
Negative test num. 2 - json file
{
"Resources": {
"RecordServiceS3Bucket": {
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [
{
"Status": "Enabled",
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
},
"Id": "Backup",
"Prefix": ""
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
},
"LoggingConfiguration": {
"DestinationBucketName": "LoggingBucket",
"LogFilePrefix": "loga/"
}
},
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
},
"WorkItemBucketBackupRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Principal": {
"Service": [
"s3.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow"
}
]
}
}
},
"BucketBackupPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "RecordServiceS3Bucket"
}
]
]
}
]
},
{
"Action": [
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "RecordServiceS3Bucket"
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
},
"/*"
]
]
}
]
}
]
},
"PolicyName": "BucketBackupPolicy",
"Roles": [
{
"Ref": "WorkItemBucketBackupRole"
}
]
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template"
}