This plugin ensures that Data events are included in the trail configuration for Amazon CloudTrail.
Risk Level: MEDIUM
Description:
This plugin ensures that Data events are included in the trail configuration for Amazon CloudTrail. In order to log S3 object-level API actions, the AWS CloudTrail trail needs to be configured to enable Data Events.
Recommended Action: Enable access logging on the CloudTrail bucket from the S3 console.
About the Service :
AWS CloudTrail is an AWS service that allows you to manage your AWS account's governance, compliance, operational, and risk auditing. In CloudTrail, actions done by a user, role, or AWS service are recorded as events. Actions made in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs are all considered events.
Impact:
Using Amazon CloudWatch Events, enable CloudTrail Data events logging to meet data compliance standards within your business, do extensive security analysis, monitor specific patterns of user behaviour in your AWS account, or take rapid actions on any object-level API activity.
Steps to reproduce :- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Click on the trail you want to examine.
- Scroll down to Data Events option and check its status.
- If it appears as:
It means, Data event are not included in the selected AWS Cloudtrail logging configurations therefore S3 object-level API operations such as GetObject, DeleteObject and PutObject are not recorded. - Repeat steps no. 4-6 for other trails in the selected region as well as for other AWS regions.
Steps for remediation :
- Sign in to your AWS management console.
- Navigate to the CloudTrail dashboard at: https://console.aws.amazon.com/cloudtrail/
- On the left panel, select Trails.
- Click on the trail you want to examine.
- Scroll down to the Data Events option and click on Edit.
- Toggle the checkbox named Data event.
- Check the Select all S3 buckets in your account checkbox to enable Data events logging for all S3 buckets in your AWS account. Then select whether you want to log Read events (e.g. GetObject) or Write events (e.g. PutObject) or both types of events by selecting Read and/or Write checkboxes. This setting overrides any S3 bucket-specific settings.
- To enable data event logging for individual AWS S3 buckets, go to Add S3 bucket, provide the bucket name and prefix (optional), and choose whether you want to log Read, Write, or both types of events by checking the Read and/or Write checkboxes. You can add up to 250 buckets and prefix combinations to each CloudTrail trail. If you enable Data event logging for all Amazon S3 buckets, this restriction does not apply.
- To save the trail setting and apply the modifications, click Save.
- Repeat steps no. 4-7 for other trails in the selected region as well as for other AWS regions.
References: