Ensure CloudTrail S3 bucket access logging is enabled

Error: CloudTrail S3 bucket access logging is not enabled

Bridgecrew Policy ID: BC_AWS_LOGGING_6
Severity: HIGH

CloudTrail S3 bucket access logging is not enabled


S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, including: the request type, the resources specified in the request worked, and the time and date the request was processed.

Enabling S3 bucket logging on target S3 buckets, you can capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.

We recommend you enable bucket access logging on the CloudTrail S3 bucket.

Fix - Runtime

AWS Console

To enable S3 bucket logging using the AWS Management Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Navigate to All Buckets and select the target S3 bucket.
  4. At the top right of the console, click Properties.
  5. Under Bucket: <s3_bucket_for_cloudtrail>, select Logging.
  6. Configure bucket logging:
    a) Select Enabled.
    b) From the list, select Target Bucket.
    c) Enter a Target Prefix.