AWS access logging is not enabled on S3 buckets
Description
Access logging provides detailed audit logging for all objects and folders in an S3 bucket.
Fix - Runtime
AWS Console
To change the policy using the AWS Console, follow these steps:
- Lo gin to the AWS Management Console at https://console.aws.amazon.com/.
- Open the Amazon S3 console.
- Navigate to the Bucket name list.
- To enable server access logging for a bucket, select the name of the bucket.
- Click Properties.
- Click Server access logging.
- Click Enable Logging.
📘 Notes
- For the target, select the name of the bucket that you want to receive the log record objects.
- The target bucket must be in the same Region as the source bucket and must not have a default retention period configuration.
- Click Save.
CLI Command
The example below sets the logging policy for MyBucket.
The AWS user [email protected] will have full control over the log files, no one else has any access.
```python S3 logging
First, grant S3 permission with put-bucket-acl:
aws s3api put-bucket-acl --bucket MyBucket --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery
Then apply the logging policy:
aws s3api put-bucket-logging --bucket MyBucket --bucket-logging-status file://logging.json
logging.json is a JSON document in the current folder that contains the logging policy:
{ "LoggingEnabled": { "TargetBucket": "MyBucket", "TargetPrefix": "MyBucketLogs/", "TargetGrants": [ { "Grantee": { "Type": "AmazonCustomerByEmail", "EmailAddress": "[email protected]" }, "Permission": "FULL_CONTROL" } ] } }
# Fix - Buildtime
## Terraform
- **Resource:** aws_s3_bucket, aws_s3_bucket_logging
```go aws_s3_bucket.bucket.tf
+ resource "aws_s3_bucket_logging" "example" {
+ bucket = aws_s3_bucket.example.id
+
+ target_bucket = aws_s3_bucket.log_bucket.id
+ target_prefix = "log/"
+ }