AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudTrail Logging Buckets Should Not Be Publicly Accessible
More Info:
AWS CloudTrail logging buckets should not be publicly accessible. Using an overly permissive or insecure set of permissions for your CloudTrail logging S3 buckets could provide malicious users access to your AWS account log data which can increase exponentially the risk of unauthorized access.
Risk Level
Critical
Address
Security
Compliance Standards
GDPR, HIPAA, CISAWS, CBP, AWSWAF, HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
- Sign in to the AWS Management Console.
- Navigate to the CloudTrail service.
- Select Trails from the navigation pane.
- Identify Trails with Publicly Accessible Buckets:
- Review each trail listed in the CloudTrail console and identify those with publicly accessible S3 buckets.
- Review Bucket ACL and Bucket Policy:
- Click on each trail to view its details.
- Under the “S3 bucket” section, review the bucket ACL and bucket policy for any grants to “AllUsers” or “AuthenticatedUsers” with “FULL_CONTROL” permission.
- Remove Public Access:
- If there are grants allowing public access, you need to remove them:
- Modify the bucket ACL to remove any grants allowing public access.
- Delete the bucket policy if it allows public access.
- If there are grants allowing public access, you need to remove them:
- Repeat for Other Trails:
- Repeat the above steps for all trails with publicly accessible S3 buckets.
- Identify CloudTrail Trails with Publicly Accessible Buckets:
aws cloudtrail describe-trails --query "trailList[?contains(S3BucketName, 'public-accessible-bucket')]" --output json
Replace 'public-accessible-bucket' with the name of the bucket you’re investigating.
- Remove Public Access from S3 Bucket ACL:
aws s3api put-bucket-acl --bucket BUCKET_NAME --acl private
Replace BUCKET_NAME with the name of the S3 bucket.
- Remove Bucket Policy (if exists):
aws s3api delete-bucket-policy --bucket BUCKET_NAME
Replace BUCKET_NAME with the name of the S3 bucket.
- Repeat for Other Trails:
- If there are multiple CloudTrail trails with publicly accessible S3 buckets, repeat the above steps for each of them.
These steps will remove public access from the S3 buckets associated with the CloudTrail trails using the AWS CLI. Ensure that you have appropriate IAM permissions to modify S3 bucket ACLs and policies.
Here’s a Python script to identify and remediate CloudTrail trails with publicly accessible S3 buckets:
import boto3
class CloudTrailChecker:
def __init__(self):
self.cloudtrail_client = boto3.client('cloudtrail')
self.s3_client = boto3.client('s3')
def get_publicly_accessible_trails(self):
failures = []
response = self.cloudtrail_client.describe_trails()
for trail in response['trailList']:
if self.is_trail_public(trail):
failures.append(trail)
return failures
def is_trail_public(self, trail):
bucket_name = trail.get("S3BucketName", "")
bucket_acl = self.s3_client.get_bucket_acl(Bucket=bucket_name)
bucket_policy = self.s3_client.get_bucket_policy(Bucket=bucket_name)
for grant in bucket_acl.get("Grants", []):
if grant.get("Grantee", {}).get("URI", "") in [
"http://acs.amazonaws.com/groups/global/AllUsers",
"http://acs.amazonaws.com/groups/global/AuthenticatedUsers",
] and grant.get("Permission", None) == "FULL_CONTROL":
return True
statements = bucket_policy.get("Policy", {}).get("Statement", [])
for statement in statements:
if statement.get("Effect", "") == "Allow" and statement.get("Principal", "") == "*":
return True
return False
def remediate_public_trail(self, trail_name):
bucket_name = self.cloudtrail_client.describe_trails(trailNameList=[trail_name])['trailList'][0]['S3BucketName']
# Remove public access from bucket ACL
self.s3_client.put_bucket_acl(
Bucket=bucket_name,
ACL='private'
)
# Remove public access from bucket policy
self.s3_client.delete_bucket_policy(
Bucket=bucket_name
)
print(f"Public access has been removed from the CloudTrail trail {trail_name}.")
# Instantiate the class
checker = CloudTrailChecker()
# Get trails with publicly accessible buckets
public_trails = checker.get_publicly_accessible_trails()
# Remediate public trails
for trail in public_trails:
checker.remediate_public_trail(trail['Name'])
This Python script identifies CloudTrail trails with publicly accessible S3 buckets and provides a placeholder for the remediation logic. You would need to implement the logic to modify the bucket ACL and bucket policy to remove public access.
Make sure to have appropriate IAM permissions for managing CloudTrail trails if you’re using AWS CLI or Python script.