AWS Cloudtrail

CloudTrail Bucket Having Public Access

This plugin prevents public access to the CloudTrail logging bucket.

Risk Level: High

Description:

This plugin prevents public access to the CloudTrail logging bucket. Large volumes of sensitive account data are stored in CloudTrail buckets, which should only be accessed by logged-in users.

Recommended Action: Set the S3 bucket access policy for all CloudTrail buckets to only allow known users to access its files. 

About the Service :

AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.

Impact: 

Using overly permissive or insecure permissions for your CloudTrail recording S3 buckets could provide unscrupulous individuals access to your AWS account log data, increasing the risk of unauthorized access enormously.

Steps to reproduce :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Click on the trail you want to examine.
  5. Copy the name of the S3 bucket associated with the trail.
  6. Visit S3 Dashboard, search for the copied S3 name, and open it.
  7. Under the Block Public Access panel check the status of the first two as shown in the image:
  8.  If both are disabled, scroll down to the Access Control List panel and check the status of permissions for the grantee named “Everyone” if it has been provided access to the bucket. 




Steps for remediation :

  1. Sign in to your AWS management console.
  2. Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
  3. On the left panel, select Trails.
  4. Click on the trail you want to examine.
  5. Copy the name of the S3 bucket associated with the trail.
  6. Visit S3 Dashboard, search for the copied S3 name, and open it.
  7. On the Block Public Access panel, click Edit.
  8. Select the checkbox at the top named Block all public access, and click on Save changes.

 

References: