CloudTrail Logging Bucket Should Use MFA Delete Feature
AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrail Logging Bucket Should Use MFA Delete Feature
More Info:
Your AWS CloudTrail logging bucket should use the Multi-Factor Authentication (MFA) Delete feature in order to prevent the deletion of any versioned log files.
Risk Level
High
Address
Security
Compliance Standards
AWSWAF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the issue of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS:
- Log in to your AWS console.
- Navigate to the S3 service.
- Find the S3 bucket that is being used for CloudTrail logging.
- Click on the bucket name to open its properties.
- Click on the Permissions tab.
- Scroll down to the “Bucket Policy” section.
- Click on “Edit”.
- Add the following JSON code to the Bucket Policy:
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Sid": "DenyUnEncryptedObjectMultiPartUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
},
"NumericGreaterThanEquals": {
"s3:x-amz-content-sha256": 1
}
}
},
{
"Sid": "DenyDeleteWithoutMFA",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration",
"s3:PutBucketVersioning",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketCors",
"s3:PutBucketLifecycleConfiguration",
"s3:PutBucketReplication",
"s3:DeleteBucket",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Null": {
"s3:authType": "MFA"
}
}
}
]
}
- Replace “your-bucket-name” with the actual name of your S3 bucket.
- Click on “Save Changes” to update the Bucket Policy.
This will add a DenyDeleteWithoutMFA policy statement to the bucket policy, which will prevent any deletion of objects or modification of bucket policies without MFA authentication.
To remediate the misconfiguration “CloudTrail Logging Bucket Should Use MFA Delete Feature” for AWS using AWS CLI, follow these steps:
- Enable versioning for the S3 bucket where CloudTrail logs are stored by running the following command:
aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled
- Create a new IAM policy that grants permission to delete objects from the S3 bucket only if MFA authentication is provided. You can use the following policy as an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDeleteObjectsWithMFA",
"Effect": "Allow",
"Action": [
"s3:DeleteObject*",
"s3:PutObjectVersionAcl",
"s3:GetObjectVersionAcl"
],
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "DenyDeleteObjectsWithoutMFA",
"Effect": "Deny",
"Action": [
"s3:DeleteObject*",
"s3:PutObjectVersionAcl",
"s3:GetObjectVersionAcl"
],
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
- Create a new IAM policy that grants permission to update the bucket policy to require MFA authentication for object deletions. You can use the following policy as an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUpdateBucketPolicy",
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::<bucket-name>"
}
]
}
- Create a new IAM role that can assume the policy created in step 3 and attach the policy created in step 2 to it. You can use the following command to create the role:
aws iam create-role --role-name <role-name> --assume-role-policy-document file://trust-policy.json
where “trust-policy.json” contains the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Update the bucket policy to require MFA authentication for object deletions by running the following command:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://bucket-policy.json
where “bucket-policy.json” contains the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFADelete",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject*",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
- Launch an EC2 instance with the IAM role created in step 4 and run the following command to delete the existing CloudTrail logging bucket policy:
aws s3api delete-bucket-policy --bucket <bucket-name>
- Finally, run the following command to update the CloudTrail logging bucket policy to require MFA authentication for object deletions:
aws s3api put-bucket-policy --bucket <bucket-name> --policy file://cloudtrail-policy.json
where “cloudtrail-policy.json” contains the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireMFADelete",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject*",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
After following these steps, the CloudTrail logging bucket should be configured to require MFA authentication for object deletions.
To remediate the misconfiguration of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS using Python, you can follow the below steps:
- Import the necessary libraries:
import boto3
from botocore.exceptions import ClientError
- Define the name of the S3 bucket that you want to remediate:
bucket_name = 'your-bucket-name'
- Create an S3 client:
s3 = boto3.client('s3')
- Check if MFA delete is enabled for the bucket:
try:
response = s3.get_bucket_versioning(Bucket=bucket_name)
if 'MFADelete' in response and response['MFADelete'] == 'Enabled':
print('MFA Delete is already enabled for the bucket.')
return
except ClientError as e:
if e.response['Error']['Code'] == 'NoSuchBucketVersioning':
print('Bucket versioning is not enabled for the bucket.')
else:
print(f'Error: {e}')
return
- If MFA delete is not enabled, enable it:
try:
response = s3.put_bucket_versioning(
Bucket=bucket_name,
VersioningConfiguration={
'Status': 'Enabled',
'MFADelete': 'Enabled'
}
)
print('MFA Delete has been enabled for the bucket.')
except ClientError as e:
print(f'Error: {e}')
- Configure MFA delete for the bucket:
try:
response = s3.put_bucket_mfa(
Bucket=bucket_name,
MFADelete='Enabled',
MFADeleteEnable='Enabled',
MFA='your-mfa-serial-number'
)
print('MFA Delete has been configured for the bucket.')
except ClientError as e:
print(f'Error: {e}')
Note: Replace ‘your-bucket-name’ and ‘your-mfa-serial-number’ with the actual values of your S3 bucket name and MFA serial number respectively.