Back to All Checks
Critical CloudTrail Regional

Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible

CISPCI DSS

Description

This control checks whether the S3 bucket used to store CloudTrail logs is publicly accessible.

Remediation

To comply with this control, ensure that the S3 bucket used for storing CloudTrail logs is configured to deny public access. Both the bucket policy and the ACLs should restrict public access.

Steps

  1. Sign in to the AWS Management Console and open the S3 console.
  2. In the S3 console, find and select the S3 bucket used by CloudTrail.
  3. Click on the 'Permissions' tab for the selected bucket.
  4. Under the 'Block public access (bucket settings)' section, ensure that 'Block all public access' is turned on. This setting should block new public ACLs and any public bucket policies.
  5. Click on 'Edit' if 'Block all public access' is not enabled and then enable it.
  6. Scroll down to the 'Bucket policy' section. Ensure that the bucket policy does not allow public access. If necessary, modify the policy to restrict public access.
  7. Also, under the 'Access control list (ACL)' section, ensure that the bucket is not publicly accessible.

Compliance

CISPCI DSS
Start Your Free Security Check