S3 Bucket CloudTrail Logging Disabled
- Query id: c3ce69fd-e3df-49c6-be78-1db3f802261c
- Query name: S3 Bucket CloudTrail Logging Disabled
- Platform: CloudFormation
- Severity: High
- Category: Observability
- URL: Github
Description¶
Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mybucketVulnerable:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
Fn::GetAtt:
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Fn::Join:
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ""
Status: Enabled
VersioningConfiguration:
Status: Enabled
WorkItemBucketBackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: Allow
Principal:
Service:
- s3.amazonaws.com
sampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: mybucketVulnerable
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: DOC-EXAMPLE-BUCKET
- /*
Principal:
Service: 'cloudtrail.amazonaws.com'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"WorkItemBucketBackupRole": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com"
]
}
}
]
}
},
"Type": "AWS::IAM::Role"
},
"sampleBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "mybucketVulnerable"
},
"PolicyDocument": {
"Statement": [
{
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DOC-EXAMPLE-BUCKET"
},
"/*"
]
]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
},
"Action": [
"s3:GetObject"
],
"Effect": "Allow"
}
]
}
}
},
"mybucketVulnerable": {
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [
{
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
},
"Id": "Backup",
"Prefix": "",
"Status": "Enabled"
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
},
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
mybucket:
Type: "AWS::S3::Bucket"
DeletionPolicy: Retain
Properties:
ReplicationConfiguration:
Role:
Fn::GetAtt:
- WorkItemBucketBackupRole
- Arn
Rules:
- Destination:
Bucket:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- "Fn::Join":
- "-"
- - Ref: "AWS::Region"
- Ref: "AWS::StackName"
- replicationbucket
StorageClass: STANDARD
Id: Backup
Prefix: ""
Status: Enabled
VersioningConfiguration:
Status: Enabled
LoggingConfiguration:
DestinationBucketName: LoggingBucket
LogFilePrefix: loga/
WorkItemBucketBackupRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- "sts:AssumeRole"
Effect: Allow
Principal:
Service:
- s3.amazonaws.com
SampleBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket:
Ref: mybucket
PolicyDocument:
Statement:
- Action:
- 's3:GetObject'
Effect: Allow
Resource:
'Fn::Join':
- ''
- - 'arn:aws:s3:::'
- Ref: DOC-EXAMPLE-BUCKET
- /*
Principal:
Service: 'cloudtrail.amazonaws.com'
Condition:
StringLike:
'aws:Referer':
- 'http://www.example.com/*'
- 'http://example.net/*'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template",
"Resources": {
"mybucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Retain",
"Properties": {
"ReplicationConfiguration": {
"Role": {
"Fn::GetAtt": [
"WorkItemBucketBackupRole",
"Arn"
]
},
"Rules": [
{
"Destination": {
"Bucket": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Fn::Join": [
"-",
[
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::StackName"
},
"replicationbucket"
]
]
}
]
]
},
"StorageClass": "STANDARD"
},
"Id": "Backup",
"Prefix": "",
"Status": "Enabled"
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
},
"LoggingConfiguration": {
"DestinationBucketName": "LoggingBucket",
"LogFilePrefix": "loga/"
}
}
},
"WorkItemBucketBackupRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com"
]
}
}
]
}
}
},
"SampleBucketPolicy": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:aws:s3:::",
{
"Ref": "DOC-EXAMPLE-BUCKET"
},
"/*"
]
]
},
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.net/*"
]
}
}
}
]
},
"Bucket": {
"Ref": "mybucket"
}
},
"Type": "AWS::S3::BucketPolicy"
}
}
}