S3 Bucket CloudTrail Logging Disabled

  • Query id: c3ce69fd-e3df-49c6-be78-1db3f802261c
  • Query name: S3 Bucket CloudTrail Logging Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Observability
  • URL: Github

Description

Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  mybucketVulnerable:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    Properties:
      ReplicationConfiguration:
        Role:
          Fn::GetAtt:
            - WorkItemBucketBackupRole
            - Arn
        Rules:
          - Destination:
              Bucket:
                Fn::Join:
                  - ""
                  - - "arn:aws:s3:::"
                    - Fn::Join:
                        - "-"
                        - - Ref: "AWS::Region"
                          - Ref: "AWS::StackName"
                          - replicationbucket
              StorageClass: STANDARD
            Id: Backup
            Prefix: ""
            Status: Enabled
      VersioningConfiguration:
        Status: Enabled
  WorkItemBucketBackupRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - s3.amazonaws.com
  sampleBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: mybucketVulnerable
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              Fn::Join:
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: DOC-EXAMPLE-BUCKET
                  - /*
            Principal:
              Service: 'cloudtrail.amazonaws.com'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "WorkItemBucketBackupRole": {
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "s3.amazonaws.com"
                ]
              }
            }
          ]
        }
      },
      "Type": "AWS::IAM::Role"
    },
    "sampleBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
          "Ref": "mybucketVulnerable"
        },
        "PolicyDocument": {
          "Statement": [
            {
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "DOC-EXAMPLE-BUCKET"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              },
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow"
            }
          ]
        }
      }
    },
    "mybucketVulnerable": {
      "Properties": {
        "ReplicationConfiguration": {
          "Role": {
            "Fn::GetAtt": [
              "WorkItemBucketBackupRole",
              "Arn"
            ]
          },
          "Rules": [
            {
              "Destination": {
                "Bucket": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Fn::Join": [
                          "-",
                          [
                            {
                              "Ref": "AWS::Region"
                            },
                            {
                              "Ref": "AWS::StackName"
                            },
                            "replicationbucket"
                          ]
                        ]
                      }
                    ]
                  ]
                },
                "StorageClass": "STANDARD"
              },
              "Id": "Backup",
              "Prefix": "",
              "Status": "Enabled"
            }
          ]
        },
        "VersioningConfiguration": {
          "Status": "Enabled"
        }
      },
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  mybucket:
    Type: "AWS::S3::Bucket"
    DeletionPolicy: Retain
    Properties:
      ReplicationConfiguration:
        Role:
          Fn::GetAtt:
            - WorkItemBucketBackupRole
            - Arn
        Rules:
          - Destination:
              Bucket:
                Fn::Join:
                  - ""
                  - - "arn:aws:s3:::"
                    - "Fn::Join":
                        - "-"
                        - - Ref: "AWS::Region"
                          - Ref: "AWS::StackName"
                          - replicationbucket
              StorageClass: STANDARD
            Id: Backup
            Prefix: ""
            Status: Enabled
      VersioningConfiguration:
        Status: Enabled
      LoggingConfiguration:
        DestinationBucketName: LoggingBucket
        LogFilePrefix: loga/
  WorkItemBucketBackupRole:
    Type: "AWS::IAM::Role"
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - "sts:AssumeRole"
            Effect: Allow
            Principal:
              Service:
                - s3.amazonaws.com
  SampleBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket:
        Ref: mybucket
      PolicyDocument:
        Statement:
          - Action:
              - 's3:GetObject'
            Effect: Allow
            Resource:
              'Fn::Join':
                - ''
                - - 'arn:aws:s3:::'
                  - Ref: DOC-EXAMPLE-BUCKET
                  - /*
            Principal:
              Service: 'cloudtrail.amazonaws.com'
            Condition:
              StringLike:
                'aws:Referer':
                  - 'http://www.example.com/*'
                  - 'http://example.net/*'
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "A sample template",
  "Resources": {
    "mybucket": {
      "Type": "AWS::S3::Bucket",
      "DeletionPolicy": "Retain",
      "Properties": {
        "ReplicationConfiguration": {
          "Role": {
            "Fn::GetAtt": [
              "WorkItemBucketBackupRole",
              "Arn"
            ]
          },
          "Rules": [
            {
              "Destination": {
                "Bucket": {
                  "Fn::Join": [
                    "",
                    [
                      "arn:aws:s3:::",
                      {
                        "Fn::Join": [
                          "-",
                          [
                            {
                              "Ref": "AWS::Region"
                            },
                            {
                              "Ref": "AWS::StackName"
                            },
                            "replicationbucket"
                          ]
                        ]
                      }
                    ]
                  ]
                },
                "StorageClass": "STANDARD"
              },
              "Id": "Backup",
              "Prefix": "",
              "Status": "Enabled"
            }
          ]
        },
        "VersioningConfiguration": {
          "Status": "Enabled"
        },
        "LoggingConfiguration": {
          "DestinationBucketName": "LoggingBucket",
          "LogFilePrefix": "loga/"
        }
      }
    },
    "WorkItemBucketBackupRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": [
                "sts:AssumeRole"
              ],
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "s3.amazonaws.com"
                ]
              }
            }
          ]
        }
      }
    },
    "SampleBucketPolicy": {
      "Properties": {
        "PolicyDocument": {
          "Statement": [
            {
              "Action": [
                "s3:GetObject"
              ],
              "Effect": "Allow",
              "Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:s3:::",
                    {
                      "Ref": "DOC-EXAMPLE-BUCKET"
                    },
                    "/*"
                  ]
                ]
              },
              "Principal": {
                "Service": "cloudtrail.amazonaws.com"
              },
              "Condition": {
                "StringLike": {
                  "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.net/*"
                  ]
                }
              }
            }
          ]
        },
        "Bucket": {
          "Ref": "mybucket"
        }
      },
      "Type": "AWS::S3::BucketPolicy"
    }
  }
}