Back to All Checks
Medium S3 Regional

S3 general purpose buckets should log object-level read events

CIS v5.0.0CIS v3.0.0PCI DSS v4.0.1PCI DSS v10.2.1

Description

This control checks whether an AWS account has at least one AWS CloudTrail multi-Region trail configured to log all read data events for Amazon S3 buckets. The control fails if such a multi-Region trail is not present.

Remediation

Configure a CloudTrail multi-region trail to log S3 read data events.

Steps

  1. Open the AWS CloudTrail console.
  2. Select or create a multi-region trail.
  3. Edit the trail and go to 'Advanced settings' or 'Data events'.
  4. Add a data event selector for 'S3' service with 'All S3 buckets'.
  5. Set 'Event type' to 'Read only' or 'All'.
  6. Save the configuration.

Compliance

CIS v5.0.0CIS v3.0.0PCI DSS v4.0.1PCI DSS v10.2.1
Start Your Free Security Check