Ensure S3 bucket modifications can be detected

Error: S3 bucket modifications cannot be detected

Bridgecrew Policy ID: BC_AWS_ALERT_1
Severity: MEDIUM

S3 bucket modifications cannot be detected


CloudTrail logs S3 bucket-level API calls made in the last 90 days. This check tracks policy modification on the bucket level, including:

  • PutBucketAcl
  • PutBucketPolicy
  • PutBucketCors
  • PutBucketLifecycle
  • PutBucketReplication
  • DeleteBucketPolicy
  • DeleteBucketCors
  • DeleteBucketLifecycle
  • DeleteBucketReplication

Bucket policies and bucket or object ACLs allow users to configure access to other users and services. AWS console offers prompts and warnings that emphasize this point and try to prevent lapses in security. This does not always prevent data leaks. Monitoring automated and manual changes to S3 buckets provides an additional layer of protection against errors.