Ensure the S3 bucket used to store CloudTrail logs does not have public access

Error: The S3 bucket used to store CloudTrail logs has public access

Bridgecrew Policy ID: BC_AWS_LOGGING_3
Severity: HIGH

The S3 bucket used to store CloudTrail logs has public access


CloudTrail logs a record of every API call made in your AWS account. These logs files are stored in an S3 bucket. Allowing public access to CloudTrail log content may aid an adversary in identifying weaknesses in the affected account's use or configuration.

We recommend that you prevent public access to CloudTrail logs stored in either the S3 bucket, or the access control list (ACL) applied to the S3 bucket.

Fix - Runtime

AWS Console

To remove any public access that has been granted to the bucket via an ACL or S3 bucket policy, follow these steps:

  1. Log in to the AWS Management Console as an IAM user at https://console.aws.amazon.com/.
  2. Right-click on the bucket, click Properties.
  3. In the Properties section, click the Permissions tab.
  4. The tab shows a list of grants, one row per grant, in the bucket ACL. Each row identifies the grantee and the permissions granted.
  5. Select the row that grants permission to Everyone or Any Authenticated User.
  6. Clear all the permissions granted to Everyone or Any Authenticated User , select X to delete the row.
  7. To save the ACL, click Save.
  8. Click the Edit bucket policy (if present).
  9. Remove any Statement having an Effect set to Allow and a Principal set to * or {AWS : *}. Default Value: By default, S3 buckets are not publicly accessible.