Cloudtrail s3 bucket logging remediation

Using Console

Using CLI

To remediate the misconfiguration “Server Access Logging Feature Should Be Enabled” for an AWS S3 bucket using AWS CLI, follow these steps:

Open the AWS CLI on your computer.
Enter the following command to enable server access logging for an S3 bucket:

aws s3api put-bucket-acl --bucket <bucket-name> --grant-full-control uri=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp uri=http://acs.amazonaws.com/groups/s3/LogDelivery

Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for.

Enter the following command to create a new S3 bucket policy that allows the S3 bucket owner to write server access logs to the bucket:

aws s3api put-bucket-policy --bucket <bucket-name> --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::cloudfront:user/log-delivery@AWS-account-ID\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::<bucket-name>/AWSLogs/AWS-account-ID/*\"}]}"

Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for and replace AWS-account-ID with your AWS account ID.

Enter the following command to enable server access logging for the S3 bucket:

aws s3api put-bucket-logging --bucket <bucket-name> --logging-configuration "{\"LogFormat\":[{\"Field\":\"requester\"},{\"Field\":\"bucket-owner\"},{\"Field\":\"time\"},{\"Field\":\"remote-ip\"},{\"Field\":\"request-method\"},{\"Field\":\"request-uri\"},{\"Field\":\"http-status\"},{\"Field\":\"error-code\"},{\"Field\":\"bytes-sent\"},{\"Field\":\"object-size\"},{\"Field\":\"total-time\"},{\"Field\":\"turn-around-time\"},{\"Field\":\"referer\"},{\"Field\":\"user-agent\"}],\"LoggingEnabled\":{\"TargetBucket\":\"<bucket-name>\",\"TargetPrefix\":\"AWSLogs/AWS-account-ID/\",\"TargetGrants\":[{\"Grantee\":{\"Type\":\"Group\",\"URI\":\"http://acs.amazonaws.com/groups/s3/LogDelivery\"},\"Permission\":\"WRITE\"}]}}"

Replace <bucket-name> with the name of the S3 bucket you want to enable server access logging for and replace AWS-account-ID with your AWS account ID.After following these steps, server access logging will be enabled for the specified S3 bucket.

Using Python

To remediate the misconfiguration “Server Access Logging Feature Should Be Enabled” in AWS using Python, you can follow the below steps:

Import the necessary AWS SDK modules in Python:

import boto3

Initialize the AWS SDK client for S3:

s3 = boto3.client('s3')

List all the S3 buckets in your AWS account:

buckets = s3.list_buckets()

For each bucket, check if server access logging is enabled:

for bucket in buckets['Buckets']:
    bucket_name = bucket['Name']
    logging = s3.get_bucket_logging(Bucket=bucket_name)
    if 'LoggingEnabled' not in logging:
        # Enable server access logging for the bucket
        s3.put_bucket_logging(
            Bucket=bucket_name,
            BucketLoggingStatus={
                'LoggingEnabled': {
                    'TargetBucket': bucket_name,
                    'TargetPrefix': 'logs/'
                }
            }
        )

Save the Python script and run it to enable server access logging for all S3 buckets in your AWS account.

Note: Make sure you have the necessary AWS credentials configured to run the Python script.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudtrail s3 bucket logging remediation

Triage and Remediation

Remediation