AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Server Access Logging Feature Should Be Enabled
More Info:
Any S3 buckets used by AWS CloudTrail should have Server Access Logging feature enabled in order to track requests for accessing the buckets and necessary for security audits.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, GDPR, SOC2, CISAWS, CBP, AWSWAF
Triage and Remediation
Remediation
To remediate the misconfiguration “Server Access Logging Feature Should Be Enabled” for AWS using the AWS console, follow these steps:
- Login to the AWS Management Console.
- Navigate to the S3 service.
- Select the S3 bucket for which you want to enable server access logging.
- Click on the “Properties” tab.
- Scroll down to the “Server access logging” section and click on “Edit”.
- Select the checkbox “Enable logging”.
- Choose the target bucket and target prefix for the log files.
- Click on “Save changes”.
Once you have enabled the server access logging feature, all access requests made to the S3 bucket will be logged and stored in the target bucket you have specified. This will help you track and monitor all access to your S3 bucket, which can help you identify any potential security threats or unauthorized access attempts.
To remediate the misconfiguration “Server Access Logging Feature Should Be Enabled” for an AWS S3 bucket using AWS CLI, follow these steps:
-
Open the AWS CLI on your computer.
-
Enter the following command to enable server access logging for an S3 bucket:
aws s3api put-bucket-acl --bucket <bucket-name> --grant-full-control uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp uri=http://acs.amazonaws.com/groups/s3/LogDelivery
Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for.
- Enter the following command to create a new S3 bucket policy that allows the S3 bucket owner to write server access logs to the bucket:
aws s3api put-bucket-policy --bucket <bucket-name> --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/log-delivery@AWS-account-ID\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::<bucket-name>/AWSLogs/AWS-account-ID/*\"}]}"
Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for and replace AWS-account-ID with your AWS account ID.
- Enter the following command to enable server access logging for the S3 bucket:
aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration "{\"LogFormat\":[{\"Field\":\"requester\"},{\"Field\":\"bucket-owner\"},{\"Field\":\"time\"},{\"Field\":\"remote-ip\"},{\"Field\":\"request-method\"},{\"Field\":\"request-uri\"},{\"Field\":\"http-status\"},{\"Field\":\"error-code\"},{\"Field\":\"bytes-sent\"},{\"Field\":\"object-size\"},{\"Field\":\"total-time\"},{\"Field\":\"turn-around-time\"},{\"Field\":\"referer\"},{\"Field\":\"user-agent\"}],\"LoggingEnabled\":{\"TargetBucket\":\"<bucket-name>\",\"TargetPrefix\":\"AWSLogs/AWS-account-ID/\",\"TargetGrants\":[{\"Grantee\":{\"Type\":\"Group\",\"URI\":\"http://acs.amazonaws.com/groups/s3/LogDelivery\"},\"Permission\":\"WRITE\"}]}}"
Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for and replace AWS-account-ID with your AWS account ID.
After following these steps, server access logging will be enabled for the specified S3 bucket.
To remediate the misconfiguration “Server Access Logging Feature Should Be Enabled” in AWS using Python, you can follow the below steps:
- Import the necessary AWS SDK modules in Python:
import boto3
- Initialize the AWS SDK client for S3:
s3 = boto3.client('s3')
- List all the S3 buckets in your AWS account:
buckets = s3.list_buckets()
- For each bucket, check if server access logging is enabled:
for bucket in buckets['Buckets']:
bucket_name = bucket['Name']
logging = s3.get_bucket_logging(Bucket=bucket_name)
if 'LoggingEnabled' not in logging:
# Enable server access logging for the bucket
s3.put_bucket_logging(
Bucket=bucket_name,
BucketLoggingStatus={
'LoggingEnabled': {
'TargetBucket': bucket_name,
'TargetPrefix': 'logs/'
}
}
)
- Save the Python script and run it to enable server access logging for all S3 buckets in your AWS account.
Note: Make sure you have the necessary AWS credentials configured to run the Python script.