id: cloudtrail-s3-bucket-logging info: name: CloudTrail S3 Logging author: princechaddha severity: high description: | Ensure AWS CloudTrail logs are captured in S3 buckets with Server Access Logging enabled for audit and forensic purposes. impact: | Without S3 Server Access Logging for CloudTrail, tracking unauthorized access or modifications to CloudTrail logs becomes difficult, impacting incident response and forensic analysis. remediation: | Enable Server Access Logging on the S3 bucket used by CloudTrail. Configure the logging feature to capture all requests made to the CloudTrail bucket. reference: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config variables: region: "ap-south-1" flow: | code(1) for(let CloudTrail of iterate(template.cloudtrailname)){ set("trail", CloudTrail) code(2) for(let BucketNames of iterate(template.buckets)){ set("bucket", BucketNames) code(3) } } self-contained: true code: - engine: - sh - bash source: | aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json extractors: - type: json name: cloudtrailname internal: true json: - '.[]' - engine: - sh - bash source: | aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName' extractors: - type: json name: buckets internal: true json: - '.[]' - engine: - sh - bash source: | aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled' matchers: - type: word words: - 'null' extractors: - type: dsl dsl: - '"Access logging is not enabled for the S3 bucket associated with CloudTrail trail " + trail' # digest: 4a0a00473045022100fc881c1ddc9a2e0229e8f3fbac211a1e5c3b7dac4363cd0611c002a55f455dc602201c3c0d885e1b03e7c10a09dbe42871bd2eeb1ffb62360ece9e5297a0d07e6953:922c64590222798bb761d5b6d8e72950