id: cloudtrail-s3-bucket-logging info: name: CloudTrail S3 Logging author: princechaddha severity: high description: | Ensure AWS CloudTrail logs are captured in S3 buckets with Server Access Logging enabled for audit and forensic purposes. impact: | Without S3 Server Access Logging for CloudTrail, tracking unauthorized access or modifications to CloudTrail logs becomes difficult, impacting incident response and forensic analysis. remediation: | Enable Server Access Logging on the S3 bucket used by CloudTrail. Configure the logging feature to capture all requests made to the CloudTrail bucket. reference: - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html metadata: max-request: 3 tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config variables: region: "ap-south-1" flow: | code(1) for(let CloudTrail of iterate(template.cloudtrailname)){ set("trail", CloudTrail) code(2) for(let BucketNames of iterate(template.buckets)){ set("bucket", BucketNames) code(3) } } self-contained: true code: - engine: - sh - bash source: | aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json extractors: - type: json name: cloudtrailname internal: true json: - '.[]' - engine: - sh - bash source: | aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName' extractors: - type: json name: buckets internal: true json: - '.[]' - engine: - sh - bash source: | aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled' matchers: - type: word words: - 'null' extractors: - type: dsl dsl: - '"Access logging is not enabled for the S3 bucket associated with CloudTrail trail " + trail' # digest: 4a0a00473045022100bfe94b20d18063458c694381cd23f96dd8023473e8b9e8151922295b88bff033022044b9f7a79baa2caa0d4ae5406a2701c73c77ddc43da72190b32f1e6ec1fa21ca:922c64590222798bb761d5b6d8e72950