Triage and Remediation
Remediation
Using Console
Using Console
Sure, here are the step-by-step instructions to remediate the issue of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS:
- Log in to your AWS console.
- Navigate to the S3 service.
- Find the S3 bucket that is being used for CloudTrail logging.
- Click on the bucket name to open its properties.
- Click on the Permissions tab.
- Scroll down to the “Bucket Policy” section.
- Click on “Edit”.
- Add the following JSON code to the Bucket Policy:
- Replace “your-bucket-name” with the actual name of your S3 bucket.
- Click on “Save Changes” to update the Bucket Policy.
Using CLI
Using CLI
To remediate the misconfiguration “CloudTrail Logging Bucket Should Use MFA Delete Feature” for AWS using AWS CLI, follow these steps:where “trust-policy.json” contains the following:where “bucket-policy.json” contains the following:where “cloudtrail-policy.json” contains the following:After following these steps, the CloudTrail logging bucket should be configured to require MFA authentication for object deletions.
- Enable versioning for the S3 bucket where CloudTrail logs are stored by running the following command:
- Create a new IAM policy that grants permission to delete objects from the S3 bucket only if MFA authentication is provided. You can use the following policy as an example:
- Create a new IAM policy that grants permission to update the bucket policy to require MFA authentication for object deletions. You can use the following policy as an example:
- Create a new IAM role that can assume the policy created in step 3 and attach the policy created in step 2 to it. You can use the following command to create the role:
- Update the bucket policy to require MFA authentication for object deletions by running the following command:
- Launch an EC2 instance with the IAM role created in step 4 and run the following command to delete the existing CloudTrail logging bucket policy:
- Finally, run the following command to update the CloudTrail logging bucket policy to require MFA authentication for object deletions:
Using Python
Using Python
To remediate the misconfiguration of CloudTrail Logging Bucket Should Use MFA Delete Feature in AWS using Python, you can follow the below steps:Note: Replace ‘your-bucket-name’ and ‘your-mfa-serial-number’ with the actual values of your S3 bucket name and MFA serial number respectively.
- Import the necessary libraries:
- Define the name of the S3 bucket that you want to remediate:
- Create an S3 client:
- Check if MFA delete is enabled for the bucket:
- If MFA delete is not enabled, enable it:
- Configure MFA delete for the bucket: